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Abstract 

This thesis investigates how the formal modeling and verification techniques of computer 
science can be used for the analysis of hybrid systems [7,14,22,37] — systems involving both 
discrete and continuous behavior. The motivation behind such research lies in the inherent 
similarity of the hierarchical and decentralized control strategies of hybrid systems and the 
communication and operation protocols used for distributed systems in computer science. 
As a case study, the thesis focuses on the development of techniques that use hybrid I/O 
automata [29,30] to model and analyze automated vehicle transportation systems and, in 
particular, their various protection subsystems — control systems that are used to ensure 
that the physical plant at hand does not violate its various safety requirements. 

The thesis is split into two major parts. In the first part, we develop an abstract model of a 
physical plant and its various protection subsystems — also referred to as protectors. The 
specialization of this abstract model results in the specification of a particular automated 
transportation system. Moreover, the proof of correctness of the abstract model leads to 
simple correctness proofs of the protector implementations for particular specializations 
of the abstract model. In this framework, the composition of independent protectors is 
straightforward — their composition guarantees the conjunction of the safety properties 
guaranteed by the individual protectors. In fact, it is shown that under certain conditions 
composition holds for dependent protectors also. 

In the second part, we specialize the aforementioned abstract model to simplified versions 
of the personal rapid transit system (PRT 2000™) under development at Raytheon Cor- 
poration. We examine overspeed and collision protection for a set of vehicles traveling on 
straight tracks, on binary merges, and on a directed graph of tracks involving binary merges 
and diverges. In each case, the protectors sample the state of the physical plant and take 
protective actions to guarantee that the physical plant does not reach hazardous states. The 
proofs of correctness of such protectors involve specializing the abstract protector to the 
physical plant at hand and proving that the suggested protector implementations are cor- 
rect. This is done by defining simulations among the states of the protector implementations 
and their abstract counterparts. 
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E The set of external variables of a HIOA. 
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V The set of all variables of a HIOA. 
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V The set of discrete transitions of a HIOA. 
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h-trace(a) The hybrid trace of the hybrid execution a. 
states(A) The set of all states of the HIOA A. 
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n.b. nota bene; Latin for "take special note of". 

op. cit. opere citato; Latin for "in the work/text cited" 

v.g. verbi gratia; Latin for "for example". 

v.i. vide infra; Latin for "see below". 

v.s. vide supra; Latin for "see above". 

viz. videlicet; Latin for "that is to say" or "namely'' 

vs. versus; Latin for "against". 

Mathematical Notation 

Z The set of valuations of the set of variables Z. 

V The universal set of variables. 
|X| The cardinality of the set X. 
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The complement of the set X. 

The projection of the function / to the set X . 

The projection of the function / to the element y. 

The restriction of the function / to the set X . 

Functions. 

The time axis, i.e., a compact subgroup of (R,+). 

An interval in the time axis, i.e., a non-empty convex subset of T. 
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The limit time of a trajectory w, i.e., sup(dom(w)). 
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XI 



c max The maximum allowable velocity of any vehicle. 
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c max The maximum acceleration of a vehicle that has not collided. 

c m in The minimum acceleration of a vehicle that has not collided. 

C'i(t) The section of track claimed by the vehicle i in time t. 

ci en The minimum allowable separation between vehicles. 

d max The maximum protector sampling period. 

Ei The section of track occupied by the vehicle i, i.e., the extent of the vehicle i. 

Oi The section of track owned by the vehicle i. 



xn 



Chapter 1 



Introduction 



This thesis investigates how the formal modeling and verification techniques of computer 
science can be used for the analysis of hybrid systems [7,14,22,37] — systems involving both 
discrete and continuous behavior. The motivation behind such research lies in the inherent 
similarity of the hierarchical and decentralized control strategies of hybrid systems and the 
communication and operation protocols used for distributed systems in computer science. 
As a case study, the thesis focuses on the development of techniques that use hybrid I/O 
automata [29,30] to model and analyze automated vehicle transportation systems and, in 
particular, their various protection subsystems — control systems that are used to ensure 
that the physical plant at hand does not violate its various safety requirements. 

The thesis is split into two major parts. In the first part, we develop an abstract model of a 
physical plant and its various protection subsystems — also referred to as protectors. The 
specialization of this abstract model results in the specification of a particular automated 
transportation system. Moreover, the proof of correctness of the abstract model leads to 
simple correctness proofs of the protector implementations for particular specializations 
of the abstract model. In this framework, the composition of independent protectors is 
straightforward — their composition guarantees the conjunction of the safety properties 
guaranteed by the individual protectors. In fact, it is shown that under certain conditions 
composition holds for dependent protectors also. 

In the second part, we specialize the aforementioned abstract model to simplified versions 
of the personal rapid transit system (PRT 2000™) under development at Raytheon Cor- 
poration. We examine overspeed and collision protection for a set of vehicles traveling on 
straight tracks, on binary merges, and on a directed graph of tracks involving binary merges 
and diverges. In each case, the protectors sample the state of the physical plant and take 
protective actions to guarantee that the physical plant does not reach hazardous states. The 
proofs of correctness of such protectors involve specializing the abstract protector to the 
physical plant at hand and proving that the suggested protector implementations are cor- 



rect. This is done by defining simulations among the states of the protector implementations 
and their abstract counterparts. 

1.1 Hybrid Systems 

The trend of system integration and automation has resulted in large and complex systems 
involving hierarchical and/or decentralized control structures. The higher levels of control 
are based on discrete algorithms and are often modeled using finite automata techniques 
from computer science. The lower levels of control address continuous behavior and are 
based on well established control theoretic techniques. The inherent complexity of the mix 
of continuous and discrete control and the need of a precise and efficient model for hybrid 
systems has encouraged research in this field. 

The similarity of the hierarchical and/or decentralized control structure of hybrid systems 
with the distributed system setting in computer science has nurtured a distributed systems 
approach of analyzing hybrid systems. This approach is based on various formal modeling 
techniques developed for the verification and the proof of correctness of distributed sys- 
tems in computer science. Such techniques use the principles of abstraction and modular 
decomposition to provide simple and concise models of complex systems. Once a particular 
system is decomposed into succinct parts, various composition theorems are used to prove 
that the system is functioning according to its specifications, i.e., the system is correct. 

1.1.1 Formal Framework 

The formal modeling techniques that are used in this thesis are based on the hybrid I/O 
automaton model [29,30]. This model is an extension of the timed I/O automaton model [11, 
34] and allows the explicit treatment of continuous behavior. The hybrid I/O automaton 
model is inspired by the phase transition models [2,4,35,36]. 

The hybrid I/O automaton model is a (possibly) infinite state model of a system involving 
both discrete and continuous behavior. The states of a hybrid I/O automaton (HIOA) are 
the valuations of a set of variables. The discrete behavior of a HIOA is modeled by discrete 
jumps in state which are described by labeled transitions. The labels of such transitions 
are the actions that carry out the transition from the initial to the final state of the jump. 
The continuous behavior of a HIOA is modeled by continuous changes in state which are 
described by sets of trajectories. The external interface of a HIOA is dictated by the 
partition of its variables and its actions into three categories: input, internal, and output. 
The behavior of the system being modeled over time is described by hybrid executions — 
finite or infinite alternating sequences of trajectories and actions. The externally visible part 



of a hybrid execution is denoted as the hybrid trace of the hybrid execution and involves 
the evolution of the input and output variables of the HIOA. 

A HIOA A\ implements another HIOA Ai if every external behavior of A\ is allowed by 
A2. In this setting A\ and Ai are referred to as the implementation and the specification, 
respectively. The notion of an implementation relation is given by inclusion of the sets 
of hybrid traces; that is, the set of hybrid traces of A\ is a subset of the set of hybrid 
traces of Ai- The composition of two HIOA is defined as their synchronization on shared 
input /output variables and input /output actions. Under straightforward and simple con- 
ditions, the composition of two HIOA results in a HIOA. Moreover, composition respects 
the implementation relation, i.e., supposing B is a HIOA, if the HIOA A\ implements the 
HIOA A2, then the composition of A\ with B implements the composition of Ai with B. 

Most of the proofs in the HIOA framework use invariant assertions and simulations. In the 
case of invariant assertions, the proofs are by induction on the length of a hybrid execution 
of the HIOA at hand. Such proofs show that a particular predicate on the state of the 
HIOA is satisfied in every state of the execution. A simulation is a mapping between the 
states of the two HIOA and is used to prove that one HIOA implements another. The 
fact that the mapping is indeed a simulation is again done by induction on the length of a 
hybrid execution of the implementation. This induction matches up individual steps in the 
implementation with either single steps, or sequences of steps, in the specification. 

1.1.2 Related Work 

The recent interest in the area of hybrid systems has resulted in a number of techniques to 
model and analyze their behavior. In particular, models that are analogous to the timed I/O 
automaton model [11,34] are the models of Alur and Dill [6], Lamport [20], and Henzinger, 
Manna, and Pnueli [18]. As is the case with the timed I/O automaton model, these models 
have also been extended to the hybrid setting; for instance, the timed transition model [18] 
has been extended to the phase transition model [35,36]. Phase transition systems are 
analogous to hybrid I/O automata — the transitions and the activities of phase transition 
systems correspond to the discrete transitions and the trajectories of hybrid I/O automata. 
The hybrid system model [2,4] is similar to the phase transition model with the distinction 
that, as in the hybrid I/O automaton model, discrete transitions are labeled, thus allowing 
the appropriate synchronization of composed automata. The distinction between the hybrid 
system model [2,4] and the hybrid I/O automaton model lies in the latter's classification 
of the discrete transitions and variables into input, internal, and output. 

In the realm of applications, the formal modeling techniques presented above have been used 
for the analysis of various problems. The railroad crossing problem [15] and the steam boiler 
problem [1,21] comprise two commonly used benchmark problems. The former benchmark 



problem considers the control of a railroad gate that prevents cars and pedestrians from 
crossing the railroad tracks while the train is in the vicinity of the crossing. This gate must 
be lowered prior to the arrival of the train and lifted once the train has passed by. The 
latter benchmark problem involves the control of the level of water in a steam boiler. 

The success in the modeling, analysis, and controller design for the above benchmark prob- 
lems has encouraged the formal modeling of more complex hybrid systems; for example, au- 
tomated transportation systems [41,42], industrial and chemical processes [9,40], rail- vehicle 
control [39], and complex automotive suspension systems [38]. The motivation behind such 
research lies mostly in the safety-critical nature of the systems at hand. In the case of 
automated transportation systems, the safety of the passengers has greatly encouraged the 
use of formal techniques. 

The recent interest in addressing safety concerns related to automated highway systems 
and, in particular, the California PATH project [41], has resulted in a surge of hybrid sys- 
tem problems. The goal of PATH is to increase vehicle throughput by organizing traffic 
into platoons of closely spaced vehicles. Godbole, Lygeros, and Sastry [12,13,23,25,27] at 
U.C. Berkeley have studied various problems that arise in the control of the vehicle pla- 
toons. Such problems address the control of the leader of a platoon in view of following 
the preceding platoon at a safe distance, tracking an optimal cruising velocity, and per- 
forming various platoon maneuvers. The platoon maneuvers that have been addressed are 
the platoon join, in which two or more adjacent platoons join to form a single platoon, the 
platoon split, in which a platoon splits in two, and the platoon lane change. Lygeros [22] and 
Lygeros et al. [26,27] used a game theoretic approach to prove that all platoon maneuvers 
are safe. Recently, Dolginova and Lynch [8] have used hybrid I/O automata to model and 
verify the safety of the platoon join maneuver. 

On a similar note, Weinberg [43] has analyzed a deceleration maneuver in which a discrete 
controller slows a train down to a target velocity range within a given distance. In further 
research, Weinberg et al. [42] have modeled the personal rapid transit system (PRT 2000™) 
under development at Raytheon Corporation and verified the correct operation of the emer- 
gency control components used to guarantee that the vehicles neither exceed a prespecified 
speed limit, nor collide among themselves. 

1.2 Automated Transportation Systems 

Among the hybrid systems that are being analyzed using formal methods, systems in trans- 
portation are particularly common. This is due to the fact that such systems are safety- 
critical and, therefore, their correct analysis and verification is of uttermost importance. 

An important feature of the design of the various autonomous transportation systems is 



Figure 1.1 Separation of system functionality into operation and protection. 




their absolute safety requirements. These requirements translate to stringent design crite- 
ria and have led to the complete separation of the system functionality into the parallel 
components of operation and protection as shown in Figure 1.1. The operation component 
is responsible for the "normal" control of the system and can be composed of complex soft- 
ware and hardware. The protection component is responsible for the "emergency" control 
of the system and is designed to be simple and reliable. In ordinary operation, the protec- 
tion component is not supposed to take any action — it merely monitors the system. In 
a potentially hazardous situation, however, the protection component must react strongly 
enough to guarantee that, regardless of the behavior of the operation component, the safety 
requirements are met. In the interest of making the protection component reliable, design- 
ers keep it simple; instead of having complex control abilities, the protection component 
depends only on the correct execution of a few decisive emergency commands. 

The separation of operation and protection functions is a generally recognized engineering 
paradigm for the design of safety-critical systems. In the realm of transportation systems, 
this structure was initially used in the design of railroad systems. Automatic safety systems 
were added to human-controlled railroad systems to protect against human error and me- 
chanical malfunctions. As railroad and mass transit systems have evolved to become more 
automated, this division of labor has been retained in the form of Automatic Train Op- 
eration (ATO) and Automatic Train Protection (ATP) systems. This paradigm occurs in 
most existing automated train systems, including the Washington Metro, the Miami People 
Mover, the O'Hare People Mover, the Detroit People Mover, and systems in Toronto, Van- 
couver, and Jacksonville. The use of this split migrated to automated vehicle transportation 
systems with the pioneering Morgantown PRT system in the late sixties; this system has 
been in continuous active use for over 20 years with no serious accidents. 

1.2.1 The PRT 2000™ 

Raytheon engineers are currently working on the design and development of a new personal 
rapid transit (PRT) system called PRT 2000™. This system uses 4-passenger vehicles that 



travel on an elevated guideway with Y-shaped merges and diverges. Passengers on this 
system board at stations and travel directly to their desired destination stations without 
intermediate stops. Compared to conventional transportation systems, the PRT 2000™ 
can provide shorter average trip times and shorter average waiting times with equivalent 
passenger throughput. These performance improvements are achieved because the vehicles 
are separated on the guideway by only a few seconds, instead of the minutes typical of 
a conventional transit system. The vehicles are controlled by a distributed network of 
computers, which receive data from sensors on the vehicles and in the tracks. 

Once again, the control of the PRT 2000™ is split into the Automated Vehicle Operation 
System (AVOS) and the Automated Vehicle Protection System (AVPS). The AVOS is in 
charge of the normal operation of the system and the AVPS is used to protect the system 
against hazards. 

1.2.2 Formal Modeling of the PRT 2000™ 

The safety-critical nature of the PRT 2000™ has lead to an interest in modeling its pro- 
tection system using formal modeling techniques from computer science. The advantage of 
using such modeling methods is twofold. First, they formalize the safety concerns addressed 
by the protection system and, second, they are used to prove the correctness of the protec- 
tion system at hand. The safety properties that are addressed are those of overspeed and 
collision avoidance, i.e., either the property that the vehicles comprising the system do not 
exceed the speed limit, or the property that they do not collide among themselves. These 
are by no means the only safety requirements enforced by the AVPS of the PRT 2000™, 
but they are among the most important and complex. 

The approach to modeling this automated transportation system is based on abstraction 
and modular decomposition. Abstraction is used to mask all inessential implementation 
details from the model of the system. Modular decomposition is used either to model 
each of the safety properties in isolation, or to model a particular safety property as the 
conjunction of several less complex safety properties. As shown in Figure 1.2, the protection 
system is defined as the composition of a set of simpler modules referred to as protectors. 
The composition of all these protectors results in a protection system that enforces the 
conjunction of the safety properties enforced by the individual protectors being composed. 
For instance, in the case of a protection system that prevents the vehicles from exceeding 
the speed limit, each of the protectors would correspond to protection subsystems that 
prevent individual vehicles from exceeding the speed limit. However, their composition 
would constitute an overspeed protection system for all the vehicles. 

This thesis extends the work by Weinberg, Lynch, and Delisle [42] on modeling the AVPS 
of the personal rapid transit system (PRT 2000™) under development at Raytheon Corpo- 



Figure 1.2 Modular decomposition of the AVPS of the PRT 2000 1 




ration. Weinberg et al. [42] model the PRT 2000™ as a transportation system where: 

• vehicles are traveling on a single track, 

• vehicle velocities are non-negative, 

• vehicles can stop instantaneously, as if they could hit a brick wall, 

• collisions among vehicles are pairwise, 

• brakes are binary, i.e., the braking of a particular vehicle results in a vehicle deceler- 
ation equal to a prespecified value, 

• the acceleration is constrained to a particular range of values, and 

• the vehicle brakes comprise monotonic system constraints, i.e., the instruction of a 
vehicle to brake can never be revoked. 

In addition to the above assumptions, the communication among the various subsystems of 
the PRT 2000™ is assumed to be reliable, periodic, and timely. 

Weinberg et al. [42] verify the correctness of the overspeed and the collision protection 
subsystems. First, it is shown that the overspeed protector guarantees that none of the 
vehicles exceed the speed limit and that the collision protector prohibits vehicle collisions 
provided that none of the vehicles exceed the speed limit. Then using a one-way depen- 
dence protector composition theorem it is shown that the composition of the overspeed and 
collision protectors guarantees that the vehicles neither exceed the speed limit, nor collide 
among themselves. It should be noted that the model of the physical plant is simplified to 
the point that abrupt changes of the vehicle velocities, due to collisions for example, are 
not modeled. The advantage of this simplification is that the overspeed protector does not 
depend on the collision protector and, therefore, the one-way dependence protector com- 



position theorem suffices. The disadvantage is that the simplified modei might not be a 
truthful representation of the real physical plant. 

In this thesis, we extend the protector composition results of Weinberg et al. [42] and relax 
their modeling assumptions about the PRT 2000™. Regarding the composition of protec- 
tion systems, we present theorems that dictate the conditions under which the composition 
of independent, one-way dependent, and even two-way dependent protectors guarantees the 
conjunction of the safety properties guaranteed by the individual protectors being com- 
posed. Regarding the transportation system model, two of the aforementioned assumptions 
are relaxed. First, the constraint on the track topology is gradually relaxed from that 
of a single track to that of a general track topology involving a directed graph of tracks 
comprised of Y-shaped merges and diverges. Second, the monotonicity constraint on the 
instruction of the vehicles to brake is relaxed such that the instruction of a vehicle to brake 
may be revoked, provided the vehicle in question is out of risk. Moreover, in an effort to 
truthfully model the transportation system, we extend the model of the physical plant to 
allow vehicle collisions that can adversely affect the velocity and the acceleration of the 
vehicles involved in a collision. Thus, since collisions may cause instantaneous jumps in 
vehicle velocities, the overspeed protector must require that no collisions ever occur in the 
physical plant; that is, the overspeed and the collision protectors are two-way dependent. 
Subsequently, it is shown that the two-way dependence composition conditions are met by 
the proposed overspeed and collision protectors and that their composition results in a pro- 
tection system that guarantees that the vehicles neither exceed the speed limit, nor collide 
among themselves. 

1.3 Thesis Overview 

In order for this thesis to be self contained, Chapter 2 gives a short and terse treatment of 
the hybrid I/O automaton model [30] and describes the conventions used in the specification 
of HIOA in this thesis. In order to facilitate the modeling of complex system properties, we 
introduce notation to allow the explicit restriction of the states of a hybrid I/O automaton 
to sets of states that are comprised of all states satisfying complex state properties of 
the HIOA. In Chapter 3, we present an abstract model of a physical plant interacting with 
various protection systems. Both the physical plant and the protection systems are modeled 
as hybrid I/O automata. Provided that protectors are independent, they can be composed 
and their composition guarantees the conjunction of the safety properties guaranteed by 
the individual protectors being composed. Under certain conditions, the same applies for 
the composition of protectors that rely on the correct operation of each other. The abstract 
protector is defined as the composition of a sensor automaton and a discrete controller 
automaton. The sensor samples the state of the physical plant at regular intervals of time 



and the discrete controller issues protective actions so as to guarantee that the physical 
plant exhibits a particular safety property. 

In subsequent chapters, we present a simple model of the PRT 2000™ and introduce over- 
speed and collision protectors. This is done for increasingly complicated track topologies. 
First we consider a single track, then a Y-shaped merge, and, finally, a general track topol- 
ogy comprised of Y-shaped merges and diverges. Chapter 4 defines a system of n vehicles 
traveling on a single track and Chapters 5 and 6 define its overspeed and collision protectors. 
Chapter 7 extends the model of the physical plant to involve a Y-shaped merge and defines 
a collision protector for the new model. Chapter 8 augments the model of the physical 
plant to involve a general track topology comprised of Y-shaped merges and diverges and 
defines a collision protector for the new model. In Chapter 9, we prove that the overspeed 
and collision protectors of the various track topologies can be composed so as to guarantee 
that the vehicles neither exceed the speed limit, nor collide among themselves. Finally, in 
Chapter 10 we give a summary of the thesis, an evaluation of the research presented, and 
directions in which such research could be extended or continued. 
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Chapter 2 



Hybrid I/O Automata 



The hybrid I/O automaton (HIOA) model [29,30] is based on the timed I/O automaton 
model [10,11,33,34], but includes explicit treatment of continuous behavior. To make this 
thesis self contained, this chapter gives a complete but terse treatment of the HIOA model 
with an emphasis on those aspects used in subsequent chapters. The presentation follows 
precisely that of Lynch, Segala, Vaandrager, and Weinberg [30]. 

The chapter is organized as follows. We begin by defining auxiliary concepts and notation 
pertaining to functions, time, variables, valuations, and trajectories. We proceed to define 
hybrid I/O automata, hybrid executions, and hybrid traces. Next, we define a simulation re- 
lation between a pair of HIOA and the notion of HIOA composition. Finally, we describe the 
conventions used in the specification of HIOA in this thesis. In particular, we describe how 
states, discrete transitions, and trajectories of a HIOA are specified and how to explicitly 
restrict the states of a HIOA in view of enforcing complex state properties. 

2.1 Preliminary Mathematical Notation 

This section defines various auxiliary concepts and notation that are used in the definition 
of the hybrid I/O automaton model. 

Functions 

With dom(f) and range(f) we denote the domain and the range, respectively, of the function 
/. If / is a function and X a set, then we write f\X for the restriction of / to X, i.e., 
the function g with dom(g) = dom(f) n X satisfying g{x) = f(x), for all x £ dom(g). We 
say that two functions / and g are compatible if f\dom(g) = g\dom(f). If / and g are 
compatible functions, then we write fUg for the function h with dom(h) = dom(f)Udom(g) 
such that h(x) = f(x), if x £ dom(f), and h(x) = g{x), otherwise, for all x £ dom(h). More 
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generally, if F is a set of pairwise compatible functions then we write U f e f / ^ or ^ ne 
unique function g with dom(g) = |L ei? dom(f) such that g(ai) = /(a;), for all / 6 _F and 
a; G dom(f). If / is a function whose range consists of a set of functions and X is a set, 
then the projection f j X is the restriction of the functions in range(f) to the set X, i.e., 
the function g with dom(g) = dom(f) defined by g{x) = f(x)\X, for all x G dom(g). The 
projection operator { extends to sets of functions by pointwise extension. Also, if / is a 
function whose range consists of a set of functions that all have an element y in their domain, 
then the projection f j y is the function with domain dom(f) defined by / j y(x) = f(x)(y), 
for all x G dom(f). 

Time 

Throughout this thesis, we fix the time axis T to be a compact subgroup of (R,+), i.e., 
the real numbers with addition. Henceforth, we exclusively use the set of real numbers ]R 
as the time axis. An interval Tj is a non-empty convex subset of T . As usual, intervals 
are denoted by [ii,^] = {t & T \ t\ < t < ^j, e ^ c - An interval Tj is right-open (left- 
open), if it does not have a maximum (minimum) element, and right-closed (left-closed), 
otherwise. We write max(Tj) and min(Tj) for the maximum and the minimum elements, 
respectively, of the interval Tj (if they exist), and sup (Tj) and inf (Tj) for the supremum 
and infimum, respectively, of the interval T 1 in T U { — oo, oo}. For T" C T and t G T, we 
define T" + t = {t' + t \ t' G T"}. Thus, for a function / with domain T", we define / + t to 
be the function with domain T 1 -\-t satisfying / + t(t') = f(t' — t), for all t' G T" + i. 

Variables and Valuations 

We assume a universal set V of variables. Variables in V are typed, where the type of a 
variable, such as reals, integers, etc. is given by type(v); that is, type(v) is the domain over 
which the variable v ranges. Letting V C V, a valuation of F is a function that associates 
to each variable f of V a value in type(v). We adopt the convention that the set of all 
valuations of a set of variables V is denoted by V. Often, valuations of a set of variables V 
are referred to as states. 

Letting v G V and 5^ C type(v), we use the notation v :G 5^ to denote the assignment of an 
arbitrary element of the set S v to the variable v. Similarly, letting V C V and 5^ C V, we 
use the notation V :G .Sy to denote the assignment of an element of the set type(v) to the 
variable v, for each v in V , such that the resulting valuation of V is an arbitrary element 
of the set S v . 

Let Z be a set of variables, zbea state of Z, and Z' be a subset of Z, i.e., Z C V, z £ Z, 
and Z' C Z. The restriction of the state z to the set of variables Z', denoted by z\Z' , is 
defined to be the valuation z' of the variables of Z' in z. Letting X C Z , we say that X 
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is Z' -determinable if for all x G X and z G Z, such that x\Z' = z\Z', it is the case that 
z G X. Intuitively, if X is ./^'-determinable then, for any state z in Z, the information 
provided by the restriction of the state z to the set of variables Z' is sufficient to determine 
whether the state z is a member of the set X . In other words, the information provided by 
the restriction of the state z to the set of variables Z — Z' is irrelevant in the determination 
of whether the state z is a member of the set X . Moreover, if X is ./^'-determinable and 
z' G Z' , we use the notation z' G X to denote that there exists a state x G X such that 
x\Z' = z' . In fact, since X is Z'-determinable, the existence of a state a; G X such that 
a;[~Z' = z' implies that for all states z G Z such that z\Z' = z' it is the case that z G X. 

Trajectories 

A trajectory over a set of variables Z is a function w : Tj —^ Z , where Tj is a left-closed 
interval of T with left endpoint equal to 0. A trajectory represents the evolution of the 
valuations of the variables in Z within a Tj interval. With dom(w) we denote the domain 
of w and with trajs(Z) the collection of all trajectories over Z. A trajectory w with domain 
T 1 is often referred to as a Tj-trajectory. 

A trajectory w is closed, if its domain is a (finite) right-closed interval, and full, if its 
domain equals T-°. For W a set of trajectories, Closed(W) and Full(W) denote the subsets 
of closed and full trajectories in W , respectively. If w is a trajectory, then the limit time of 
w, denoted by w.ltime, is defined to be the supremum of dom(w). A trajectory w is finite 
if w.ltime ^ oo. We define the first state of a trajectory w, denoted by w.f state, to be the 
state w(0). Moreover, if the domain of a trajectory w is right-closed, then we define the last 
state of w, denoted by w.lstate, to be the state w(w.ltime). A trajectory with domain [0, 0] 
is called a point trajectory. If s is a state, then we define p(s) to be the point trajectory 
that maps to s. 

For a trajectory w and t G T-°, we define w < t = w \ [0,t] and w <\ t = w \ [0,t). It is 
important to note that w <1 is not a trajectory. By convention, w<loo = w<loo = w. 
Similarly, if w is a trajectory and T 1 is a left-closed interval with min(Tj) G dom(w), then we 
define the curtailment of w to T 1 , denoted by w t T 1 , to be the trajectory (w \Tj-) — min(Tj), 
or equivalently the trajectory w' with domain (Tj n dom(w)) — min(Tj) defined by w'(t') = 
w(t' + min(Tj)), for all t' G dom(w'). 

If w is a trajectory over Z and Z' C Z, then the projection w I Z' is the trajectory over Z' 
with domain dom(w) defined hy w { Z' (t)(z r ) = w(t)(z r ), for all z' G Z'. The projection 
operation is extended to sets of trajectories by pointwise extension. Also, if w is a trajectory 
over Z and z G Z, then the projection w I z is the function from dom(w) to the domain of 

z defined by w { z (t) = w(t)(z). 

If w is a finite trajectory with domain Tj, w' is a trajectory with domain Tj, and w.lstate = 
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w 1 .f state if w is closed, then we define the concatenation of w and w' to be the trajectory 
w "" w' = w U («/ + w.ltime). We extend the concatenation operator to an infinite sequence 
of finite trajectories wqW\W2---. If W{.lstate = Wi+i.fstate, for each trajectory pair W{ 
and w 8 _|_i, for i £ N, in which the trajectory W{ is closed, then we define the infinite 
concatenation of the infinite sequence of finite trajectories W0W1W2 ■ ■ ■ to be the trajectory 
w ~ w 1 ~ w 2 • • • = Uij e n( w * + £j<; w r ltime). 

A trajectory wis a prefix of a trajectory w/, denoted by w < w/, if w = w'\dom(w); that 
is, either w = w' , or mi' = id " w" , for some trajectory w". With Pref(W) we denote the 
prefix-closure of VF: Pref(W) = {w \ 3 w' £ W : w < w'}. A set W is prefix closed if 
jy = Pref(W). A trajectory in W is maximal if it is not a prefix of any other trajectory in 
W. We write Max(W) for the subset of maximal trajectories in W . 

2.2 The Hybrid I/O Automaton Model 

A hybrid I/O automaton A = (U,X,Y, S m , S mf , S ouf , 0,X>, W) consists of the following 
components: 

• Three disjoint sets U, X , and Y of variables, called input, internal, and output vari- 
ables, respectively. 

Variables in E = UUY are called external, and variables in L = XUY are called local. 
We write V = U U L and let s, w, and w range over V, U, and trajs(V), respectively. 

• Three disjoint sets S m , S mf , and T, out of actions, called input, internal, and output 
actions, respectively. 

We assume that S m contains a special element e, the environment action, which rep- 
resents the occurrence of a discrete transition outside the system that is unobservable, 
except (possibly) through its effect on the input variables. Actions in T, ext = S m US ouf 
are called external, and actions in X = S mf U S ouf are called locally controlled. We 
write S = S m U S' oc and let a range over S. 

• A non-empty set C V of initial states satisfying: 

Init (initial states closed under change of input variables) 
s e => 3 s' e® : (s'\U = u) A (s'|Y = s\Y) 

• A set V C V X S X V of discrete transitions satisfying: 

Dl (input action enabling) 

a e S m =$► 3 s' G V : s ^+ A s' 
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D2 (environment actions that do not change inputs do not affect the state) 

(S^ A S') A (S\U = S'\U) => (8 = 8') 

D3 (discrete transitions do not depend on input variabie changes) 

(s-^ A s') ==> 3s"eV : ( s -^ A s") A {s"\U = u) A (s"\Y = s'\Y) 

For any discrete transition (s, a, s') of the automaton A, i.e., (s, a, s') G 2>, the states s 
and s' are referred to as the pre-state and post-state, respectively, of the discrete 
transition (s,a,s r ). Moreover, as in the above treatment, we often use the notation 
s — ^ A s' to denote that (s,a,s r ) is a discrete transition of the automaton A, i.e., 
(s,a,s r ) eV. 

• A set W of trajectories over V satisfying: 
Tl (existence of point trajectories) 

P (s) e w 

T2 (closure under subintervals) 

w G W A {Tj left-closed subinterval of dom(w)) =>■ w t Tj G W 

T3 (completeness) 

( V t G T^° : w j [0, i] G W) => weW 

The intuition captured by Axioms Init and Dl— D3 is that a HIOA is responsible for per- 
forming locally controlled actions and for modifying the values of its local variables, whereas 
the environment of a HIOA is responsible for performing input actions and modifying the 
values of the input variables. 

Axiom Init says that a system may not constrain the initial values of its input variables. 
Thus, if we change the input variables of an initial state, then there is a way to change 
the internal variables as well (while leaving the output variables unchanged) so that the 
resulting state is an initial state also. 

Axiom Dl, which is simply the hybrid extension of the input enabling axiom from the 
(untimed) I/O automaton model [11,32,34], says that a HIOA should accept all input 
actions in ah states. Axiom D2 postulates that an environment action that does not affect 
the input variables can not be "detected" by the automaton and, therefore, leaves the state 
unchanged. Axiom D3 states that there is no functional dependence between the input 
and the output variables of a HIOA during a transition; that is, a HIOA can not react 
instantaneously to an input variable change. If there is an a-step from a state s to a state 
s' , then, for any valuation u of the input variables, there also exists an a-step from s to a 
state s" with an input part u and an output part equal to that of s' . The internal variables of 
s' and s" need not have the same values, since otherwise it would not be possible for a HIOA 
to record all the discrete changes in its input variables. The technical use of Axiom D3 is 
to avoid cyclic constraints during the interaction of two systems. In this way, we can show 
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that the composition of two HIOA is still input enabled and that the environment can never 
block the output actions of a system. 

Axioms D2 and D3 imply that the environment action e can never affect the output vari- 
ables of a HIOA. Consider any transition (s,e,s') G V and suppose that s'\Y j^ s\Y . 
Letting u = s\U, Axiom D3 implies that there exists s" G V such that (s,e,s") G V, 
s"\U = s\U, and s"\Y = s'\Y. Since s"\U = s\U and s"\Y ^ s\Y , Axiom D2 is violated. 
Therefore, it follows that there does not exist (s,e,s') G V such that s'\Y j^ s\Y . 

Axioms Tl— T3 state some natural conditions on the set of trajectories needed to set up 
our theory: existence of point trajectories, closure under subintervals, and the fact that a 
full trajectory is in W if and only if all its prefixes are in W. 

The Axiom Init and the Axioms Dl— D3 that are presented here are slightly different from 
the respective axioms introduced in the preliminary version of the HIOA model [29]. The 
new axioms allow a HIOA to change the values of its internal variables if the environment 
modifies the input variables of the HIOA. 

Notation Let A be a HIOA as described above. If s G V and / G L, then we write 
s — ^ A I if and only if there exists an s' G V such that s — ^ A s' and s'\L = I. Henceforth, 
the components of a HIOA A will be denoted by Va, Ua, ^U, ©^4, etc. Moreover, the 
components of a HIOA A{ will also be denoted by Vi, Ui, £,-, ©;, etc. 

2.3 Hybrid Executions 

A hybrid execution fragment a of a HIOA A is a finite or infinite alternating sequence 
a = W0CI1W1CI2W2 • • • , where: 

1. Each tc, is a trajectory in Wa and each a 8 - is an action in Y<a- 

2. If a is a finite sequence then it ends with a trajectory. 

3. If tc, is not the last trajectory in a then its domain is a right-closed interval and it is 
the case that Wi.lstate — — > A Wi+\.f state. 

An execution fragment records all the discrete changes that occur in the evolution of a 
system, plus the "continuous" state changes that take place in between. The third item 
says that the discrete actions in a span between successive trajectories. We write h-frags(A) 
for the set of all hybrid execution fragments of A. 

If a = woaiWia2W2 ■ ■ ■ is a hybrid execution fragment, then we define the limit time of a, 
denoted by a.ltime, to be ^ ieN iff,i(ime. Further, we define the first state of a, denoted 
by a. J 'state, to be wo.f state. 
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We distinguish several sorts of hybrid execution fragments. A hybrid execution fragment a 
is defined to be 

• an execution if the first state of a is an initial state, i.e., a.fstate £ ©^4, 

• finite if a is a finite sequence and the domain of its final trajectory is a right-closed 
interval, 

• admissible if a.ltime = oo, 

• Zeno if a is neither finite nor admissible, and 

• a sentence if a is a finite execution that ends with a point trajectory. 

If a = wociiWi ■ ■ -a n w n is a finite hybrid execution fragment then we define the last state 
of a, denoted by a.lstate, to be w n .lstate. A state of A is defined to be reachable if it is the 
last state of some finite hybrid execution of A. 

A finite hybrid execution fragment a = woaiWia2W2 ■ ■ -a n w n and a hybrid execution frag- 
ment a' = WQa^w^a^w^ ■ ■ ■ of A can be concatenated if w n ^~ w' is defined and is a trajectory 
of A. In this case, the concatenation a "" a' is the hybrid execution fragment defined by 

a "" a' = woaiWia2W2 ■ ■ ■ a n (w n "" w'^a^w^a^w^ • • • 

Let a and a' be hybrid execution fragments of a HIOA A. We say that a' is a prefix of a' , 
denoted by a 1 < a, if either a' = a, or there exists some execution fragment a" of A such 
that a' ^ a" = a. 

A variable v of a HIOA A is called continuous if v is not modified by any discrete steps of 
A and for all trajectories w of A, w j v is a continuous function. Let a = woaiWia2W2 ■ ■ ■ 
be a hybrid execution fragment of A. Then we define ajtias follows: 

a I v = (w I v) ~ (w 1 I v) ~ (w 2 I «) • • • 

Theorem 2.3.1 Tfv is a continuous variable of a HIOA A and a is an execution fragment 
of A, then a { v is a continuous function. 

If a = woaiWia2W2 ... is a hybrid execution fragment of a HIOA A and Z CV then a { Z 
is defined to be the sequence (wq { Z)ai(w\ { Z)a2(w2 | Z) . . .. 

A superdense time in an execution fragment a = woaiWia2W2 ... of a HIOA A is a pair 
(i,t), where t < W{.ltime. We totally order superdense times in the execution fragment a 
lexicographically. 
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An occurrence of a state s in an execution fragment a = W0CI1W1CI2W2 ... of a HIOA A 
is a triple (i,t,s) such that (i,t) is a superdense time in a and s = Wi(t). We order state 
occurrences in a according to the order of their superdense times. 

If S is a set of states and a is an execution fragment, then past(S,a) is the set of state 
occurrences (i,t,s) in a such that either s G S or there is a previous state occurrence 
(i',t',s') in a with s' G 5*. 

2.4 Hybrid Traces 

Suppose a = W0CI1W1CI2W2 ■ ■ ■ is a hybrid execution fragment of A. In order to define the 
hybrid trace of a, let 

7 = (wo I £U)^'s( a i)Oi I -EU)^'s( a 2)(w 2 I £U) • • • , 

where, for any action a of A, vis(a) is defined equal to r if a is an internal action or an 
environment action e, and equal to a otherwise. Here r is a special symbol which, as in the 
theory of process algebra, plays the role of the "generic" invisible action. An occurrence of 
t in 7 is called inert if the final state of the trajectory that precedes the r equals the first 
state of the trajectory that follows it (after hiding of the internal variables). The hybrid 
trace of a, denoted by h-trace(a), is defined to be the sequence obtained from 7 by removing 
all inert r's and concatenating the surrounding trajectories. 

The hybrid traces of A are the hybrid traces that arise from all the finite and admissible 
hybrid executions of A. We write h-traces(A) for the set of hybrid traces of A. 

The HIOA A\ and A2 are comparable if they have the same external interface, i.e., U\ = U2, 
Yi = Y 2 , Ef = S™, and S° uf = S° uf . If A x and A 2 are comparable, then A x < A 2 is 
defined to mean that the hybrid traces of A\ are included in those of A2; that is, A\ < 
A2 = h-traces(A\) C h-traces(A2) ■ If A\ < A2, then we say that A\ implements A^- 

2.5 Auxiliary HIOA Definitions 

Given a HIOA A, we use the notation states(A) to denote the state space of the automaton 
A, i.e., states(A) = Va- If i? is a subset of the set of states states(A) of the automaton A 
and s, s' G R, then we say that s' is R-reachable from s, denoted by s ~*r s' , provided that 
there is a hybrid execution fragment of A that starts in s, ends in s' , and all of whose states 
are in the set R. We say that s' is reachable from s, denoted by s ~» s' , provided that s' is 
i?-reachable from s, where R is the set of all states of the automaton A, i.e., R = states(A). 

When analyzing a HIOA A, it is often useful to define derived variables for A. Such variables 
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are functionally dependent on the variables of the automaton A and, although useful in the 
analysis of A, are not essential in its definition. 

If s is a state of a HIOA A and z is a variable of A, i.e., s £ states(A) and z £ Va, then 
s.z denotes the value of the variable z in the state s. In terms of valuations, s.z is the 
restriction of the valuation s to the element z, i.e., s.z = s\z. 

If / is a function to states of a HIOA A and Z is a subset of the variables of A, i.e., 
range(f) = states(A) and Z C Va, then / j Z is the projection of / onto the variables in 
Z, i.e., the function g with domain dom(f) and range equal to the set of valuations of Z, 
defined by: g(s)(z) = f(s)(z), for all s £ dom(f) and z £ Z. In the special case where Z is 
a singleton set {z}, i.e., Z = {z}, we write / j z as shorthand for f I Z. 

2.6 Simulation Relations 

Let A and _B be comparable HIOA. A simulation from A to B is a relation R C V^ X V# 
satisfying the following conditions, for all states r and s of A and _B, respectively: 

1. If r £ 0^4, then there exists s £ ©# such that r R s. 

2. If r —^ A r' and r R s, then i? has a finite execution fragment a with s = a. f state, 
h-trace(p(r) a p(r')) = h-trace(a), and r' R a.lstate. 

3. If r R s and w is a closed trajectory of A with r = w.fstate, then i? has a finite exe- 
cution fragment a with s = a.fstate, h-trace(w) = h-trace(a), and w.lstate R a.lstate. 

Theorem 2.6.1 If A and B are comparable HIOA and there is a simulation from A to B, 
then A < B. 

2.7 Composition 

We say that the HIOA A\ and Ai are compatible if, for i,j £ {1, 2}, i ^ j, 

Xi n Vj = Y t n Yj = £™ f n Sj = s 8 0Uf n £f f = 0. 

If A\ and A2 are compatible then their composition A\ X Ai is defined to be the tuple 

A = (U, X, Y, S m , S mf , S ouf , 0, X>, W) given by 

• u = (u 1 u u 2 ) - (Yl u y 2 ), x = x 1 ux 2 ,y = y 1 uy 2 

• S m = (Sf U £J, n ) - (SJ uf U S^ uf ), S mf = Sf * U S^ f , S ouf = SJ uf u s^ uf 
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• © = {s e v | s \Vi e 0i a s\v 2 e 2 } 

• Define, for i G {1,2}, projection function tta, '■ S — ► X; by 7r^4 8 (a) = a, if a G S;, and 
7r^4 8 (a) = e, otherwise. Then V is the subset of V X X X V given by 

• W is the set of trajectories over V given by 

w ew ^=> w [VxeWx a w [v 2 ew 2 

Notation We extend the projection notation it a,, for i G {1,2}, to states, trajectories, 
discrete actions, hybrid executions, and hybrid traces in the obvious way. If s, w, and a 
are a state, a trajectory, and a discrete action of the automaton A = A\ X A 2 , then the 
respective projections 71"^, for i G {1,2}, are defined as tta^s) = s\Va, ^A t { w ) = w I Va 5 
and 7r^4 8 (a) = a if a G XU an d 71"^ (a) = e otherwise. Also, if a = WQa\W\a 2 ■ ■ ■ is a hybrid 
execution of the automaton A = A\ X A 2 , then the projection it a,, for i G {1, 2}, is defined 
as tta,(c() = TrAi( w o)' K Ai( a i)' K Ai( w i)' K Ai( a 2) ' ■ Moreover, if 7 is the hybrid trace of a, then 
71-^(7) is the sequence obtained from (w j E Ai )vis Al { a i)( w i I E Ai )vis Al {a2){w 2 j E Ai ) ■ ■ ■ 
by removing all inert r's and concatenating the surrounding trajectories. 

Proposition 2.7.1 If A\ and A 2 are compatible HIOA, then their composition A\ X A 2 is 
a HIOA. 

Lemma 2.7.2 let A = A\ X A 2 , and let a be a hybrid execution of A. Then it is the case 
that it A t {h-trace(a)) = h-trace(irA t ( a ))> f or i & { 1, 2}. 

Lemma 2.7.3 let A = A\ X A 2 . Then it is the case that h-traces(A) = {7 | 71^(7) G 
h-traces(Ai), fori G {1,2}}. 

Theorem 2.7.4 Suppose A\, A 2 , and B are HIOA with A\ < A 2 , and each of A\ and A 2 
is compatible with B. Then A\ X B < A 2 X B. 

2.8 HIOA Specification Conventions 

In this section we describe the conventions used in the specification of a HIOA A in this 
thesis. In particular, we describe how the states, the discrete transitions, and the trajectories 
of A are specified and introduce notational shorthand used to specify concisely complex state 
properties of A. 
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2.8.1 State Specification 

Since the states of A are the set of valuations of its variable set Va, the states of A are 
specified by simply defining the domain over which each variable in Va ranges. Thus, the 
states of A are specified by a list of all input, internal, and output variables together with 
the domain over which each respective variable ranges. Similarly, the set of start states of 
A is specified by stating the set of values that each variable in Va can initially assume. It is 
important to note that, by Axiom Init of the HIOA model, each input variable u of A may 
initially assume any value in type(u); that is, the set of values that each input variable u of 
A can initially assume is the set type(u). 

2.8.2 Discrete Transition Specification 

The set of discrete transitions of A is specified by collectively describing all discrete transi- 
tions involving each action a in Y<a in precondition- effect format. This format is comprised 
of a label, a precondition, and an effect clause. The label corresponds to the label of the 
action a. The precondition is a predicate over the variables of A and specifies the conditions 
under which the action a is enabled; that is, the precondition defines the set of states in 
which the action a may be scheduled. It is important to note that an action a in Y<a is not 
necessarily scheduled whenever it is enabled. The effect clause specifies the pseudo-code 
that must be applied to the pre-state of a discrete transition involving the action a so as 
to yield the post-state of the discrete transition. It follows that, in order for (s,a,s r ) to 
be a discrete transition of A, the precondition in the specification of the action a must be 
satisfied by the pre-state s. Moreover, the application of the pseudo-code in the effect clause 
of the specification of the action a to the pre-state s must yield the post-state s' . 

The convention used in this thesis is that for any particular discrete transition (s,a,s r ) of 
A, the statements in the pseudo-code of the effect clause of the specification of a are applied 
sequentially to the state of A starting from the pre-state s. However, the effect clause in 
the specification of any action a of A is assumed to be executed indivisibly. Therefore, the 
execution of the action a in the state s represents a single transition from the pre-state s 
to the post-state s' . In order to be able to write effect clause pseudo-code involving the 
valuation of the variables of A in the pre-state, we adopt the convention that the value of a 
particular variable v of A in the pre-state s may be referred to as v pre . Similarly, the value 
of the variable v in the post-state s' may be referred to as v post . 

Throughout this thesis, we adopt the convention that if the effect clause in the specification 
of an action a of A does not affect a local variable v, for any v G La, the value of v in the 
post-state of any discrete transition involving the action a is equal to its value in the pre- 
state, i.e., v post = v pre . Moreover, in order to conform to Axiom D3 of the HIOA model, we 
adopt the convention that the effect clause in the specification of each action a of A must 
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assign to each input variable u of A an arbitrary value in type(u); that is, the effect clause 
in the specification of the action a must include the assignment statement u :G type(u). In 
fact, we adopt the convention that such assignments precede any other statements in the 
effect clause of the specification of the action a. Obviously, if the automaton A has no input 
variables, i.e., JJ a = 5 no such assignments are specified. 

Axiom Dl of the HIOA model defines HIOA to be input- enabled; that is, a HIOA is not 
capable of blocking the scheduling of its input actions. It follows that, each input action a of 
A is enabled in each state s of A. A consequence of this characteristic is that the precondition 
in the specification of each input action a of A is the trivial predicate True. Throughout 
this thesis, we adopt the convention that the precondition clause in the specification of any 
input action a of A is omitted; that is, the specification of each input action a of A is only 
comprised of the label and the effect clause of the action a. 

The environment action e, which is considered an input action, allows the occurrence of a 
discrete transition in the external environment that is unobservable by A except (possibly) 
through its effect on the input variables of A. Environment actions are considered input 
actions because HIOA have no control over their external environment and, therefore, envi- 
ronment actions are enabled in all states. Thus, following the convention for input actions, 
the precondition clause in the specification of the environment action e is omitted. More- 
over, according to Axioms D2 and D3 of the HIOA model, a discrete transition involving 
the environment action e can only affect the input and the internal variables of A. In fact, 
according to Axioms D2 of the HIOA model, a discrete transition involving the environ- 
ment action e can affect the internal variables of A only if the input variables are also 
affected. Therefore, the effect clause in the specification of the environment action e must 
be such that the internal variables are affected only if the valuation of the input variables 
in the post-state differs from their valuation in the pre-state; that is, for all (s,e,s') G V, 
it is the case that if s[X^ ^ s'\Xa then s\Ua J^ s'\Ua- If the automaton A has no input 
variables, then the environment action e cannot affect its state; that is, if JJ a = then for 
all (s, e, s') G V it is the case that s = s' . In such cases, the environment action e is referred 
to as stuttering and the effect clause in its specification is comprised of the single statement 
"None". Often, when the environment action e does not affect the internal variables of a 
HIOA, or when the environment action e is stuttering, its specification is omitted. Thus, 
if the environment action e is omitted from the specification of a HIOA A, then it follows 
that the environment action e assigns arbitrary values to the input variables of A and does 
not affect the internal variables of A. Obviously, when the HIOA A has no input variables, 
the environment action e omitted in the specification of A is stuttering. 
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2.8.3 Trajectory Specification 

The set of trajectories of A is specified by pseudo-code which describes the properties that 
any trajectory w involving the variables in the variable set of A must satisfy in order to be 
a trajectory of A. Thus, the trajectory pseudo-code consists of a collection of predicates all 
of which must be satisfied throughout any trajectory w of A. Since HIOA have no control 
over their input variables, the trajectory specification of A must not constrain its input 
variables. Thus, we adopt the convention that the trajectory specification of A includes a 
clause for each input variable u of A stating that the input variable u assumes arbitrary 
values in type(u) throughout each trajectory w of A. Obviously, if the automaton A has no 
input variables, i.e., JJ a = 5 no such clauses are specified. In contrast to the convention 
used in the specification of actions, if a particular local variable v of A is not constrained 
in the trajectory specification of A, then its value may assume arbitrary values in type(v). 
Therefore, in order to specify that the value of the local variable v of A remains constant 
throughout each trajectory w of A, an explicit statement stating so must be used. 

2.8.4 State Restriction 

In the specification of a HIOA, it is often unwieldy to explicitly enforce complex state prop- 
erties. In view of this specification inefficacy, we allow the enforcement of state properties 
through the restriction of the states of a HIOA to property sets. A property set P of A is 
a set of states of A that is comprised of all the states of A that satisfy a particular state 
property. The state property described by the property set P may be enforced through the 
use of "subject to P" clauses in the specification of either the initial states, the actions, or 
the trajectories of A. In the specification of the initial states of A, a "subject to P" clause 
signifies that ah of the initial states of A are in the set P. In the specification of the actions 
of A, a "subject to P" clause in the effect clause of an action a signifies that the post-state 
of each discrete transition involving the action a is in the set P. Finally, in the specification 
of the trajectories of A, a "subject to P" clause signifies that all the states involved in each 
trajectory of A are in the set P. In the case of trajectories, such a clause may be interpreted 
as choosing the local variables of A that are unconstrained by the trajectory specification 
so that the states involved in the trajectory are in the set P. 

Often, we collectively specify all complex state properties of a HIOA A using a single 
property set. This property set is distinct for each HIOA and is referred to as the set VALID 
for the particular HIOA at hand. 
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Chapter 3 

Abstract Physical Plant and 
Protector Models 



This chapter is split into two parts. In the first part, we define an abstract model of a physical 
system that is comprised of a physical plant and a protection system. The protection system 
is modeled as a set of protectors that are communicating with the physical plant through 
distinct communication channels, or ports. These channels are used to sample and to control 
the state of the physical plant. Both the physical plant and the protectors are modeled as 
HIOA. It is shown that under certain conditions protectors can be composed such that 
their composition ensures the safety properties guaranteed by the individual protectors 
being composed. In the second part, we give an abstract model of a protector. The model 
is parameterized by the physical plant and various sets of states of the physical plant which 
describe the properties assumed and guaranteed by the abstract protector. The protector is 
defined as the composition of a sensor automaton and a discrete controller automaton. The 
sensor automaton samples the output state of the physical plant at a given sampling rate. 
The discrete controller automaton determines which protective action must be scheduled in 
order to ensure the safety of the physical plant up to the next sampling point. To conclude, 
the proposed abstract protector is shown to be correct. 

3.1 Protected Plant Systems 

In this section, we present an abstract model of a system consisting of a physical plant and 
a set of protectors. The model is abstract in that it does not specify any of the details 
of the physical plant — for instance, it does not specify that the plant includes vehicles 
and tracks. We also define what it means for a protector responsible for guaranteeing a 
particular property, i.e., a protector used to avoid a particular mishap, to be correct. 
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3.1.1 Physical Plant Automata 

Let J be a set of ports. A physical plant automaton PP for J is defined to be a hybrid I/O 
automaton (HIOA) in which: 

1. The input action set Spp is partitioned into subsets Spp., one for each port j. 

2. The output action set Spp is partitioned into subsets T, p % p , one for each port j. 

3. The input variable set Upp is partitioned into subsets Upp , one for each port j. 
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We use the letter p to denote a state of PP and P to denote a set of states of PP. 

3.1.2 Protector Automata 

Let PP be a physical plant automaton with port set «/, and let K C J. A protector 
automaton A for the physical plant PP and the port set K is a HIOA that is compatible 
with PP, and that satisfies the following conditions: 

1. Its output actions are exactly the input actions of PP on ports in K . 

2. Its output variables are exactly the input variables of PP on ports in K. 

3. All its input actions and input variables are outputs of PP. 

Lemma 3.1.1 Suppose that A\ and Ai are protectors for PP, with respective port sets K\ 
and K2, where K\ n ii'2 = 0- If A\ and Ai are compatible then their composition A\ X Ai 
is a protector for PP with port set K\ U iiV 

Proof: Since A\ and Ai are compatible, Proposition 2.7.1 implies that A\ X Ai is a HIOA. 
Moreover, since A\ and Ai are compatible with PP it follows that A\ X Ai is compatible 
with PP also. Therefore, it remains to be shown that the HIOA A\ X Ai satisfies the three 
protector conditions presented above. 

To begin, since the protectors A\ and Ai communicate with the plant PP through the port 
sets K\ and K2, respectively, their composition A\ X Ai communicates with the plant PP 
through the port set K\ U Ki- Therefore, there are three conditions to check: 

1. The output actions of A\ X Ai are exactly the input actions of PP on ports in K\ U K^- 

Since, the HIOA A\ and Ai are protectors, it is the case that their output actions are 
exactly the input actions of PP on the port sets K\ and K2, respectively. However, 

^out 

"A 1 xA 2 ~ 



from the composition of the protectors A\ and A2, it is the case that S ouf 



S^" f U S^" f . Therefore, it trivially follows that the output actions of A\ X Ai are 
exactly the input actions of PP on ports in K\ U K^- 
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2. The output variables of A\ X A 2 are exactly the input variables of PP on ports in 
KiUK 2 . 

Since, the HIOA A\ and A 2 are protectors, it is the case that their output variables are 
exactly the input variables of PP on the port sets K\ and K 2 , respectively. However, 
from the composition of the protectors A\ and A 2 , it is the case that Y A ut xA = 
yout u Y^ ut . Therefore, it trivially follows that the output variables of Ai X A 2 are 
exactly the input variables of PP on ports in K\ U K 2 . 

3. All the input actions and input variables of A\ X A 2 are outputs of PP. 

From the composition of the protectors A\ and A 2 , it is the case that T, l A xA = 
(S™ U S™) - (E^f U £^f ) and U AiX a 2 = (U Al UUa 2 )- (Y Al U Y m ). However, since 
the HIOA A\ and A 2 are protectors, their output actions and output variables are 
inputs to the PP automaton. Therefore, it is the case that T, l A xA = T, l A U T, l A and 
U Al xA 2 = U Al U U A2 . It trivially follows that the input actions and input variables of 
A\ X A 2 are outputs of PP. 



3.1.3 Protected Plant Systems 

A protected plant system is the composition of a physical plant automaton PP and a set 
of protector automata. If s is a state of a protected plant system and P is a subset of the 
states of PP, we often write s £ P as shorthand for s\PP £ P. That is, we extend the 
definition of the set P to include states of the protected plant system that project to give 
PP states in P. 

3.1.4 Substitutive and Compositional Correctness 

Let S , R, and G be particular sets of states of PP. We say that a protector automaton A for 
PP and ports K guarantees G in PP from S given R provided that every finite execution 
of the composition PP X A starting in a state in S that only involves states in R ends in a 
state in G. It is important to note that the first state of every such finite execution is in 
the set QppxA H S . In the special case where R is the set of all states of PP, we sometimes 
omit explicit mention of R. Moreover, we often omit mention of PP when the physical plant 
automaton is clear from context. 

It is important to note that the definition of "guarantees" includes consideration of finite 
executions in which arbitrary inputs can arrive at PP on ports other than those in K . The 
protector definition infers that regardless of what inputs occur on those ports, the protector 
A still guarantees G in PP starting from S given R. 
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The following substitutivity theorem states that an implementation of a correct protector is 
itself a correct protector. 

Theorem 3.1.2 Let A\ and Ai be two protector automata for the same port set K , and 
suppose that A\ < Ai . If Ai guarantees G in PP from S given R, then A\ guarantees G in 
PP from S given R. 

Proof: Let a pPxA be any finite execution of the automaton PPx A\ that starts in a state in 
the set S and is restricted to states in the set R. We must show that Kpp(a p p xA Jstate) £ G. 

Let a pp be the projection of a pPxA to the PP automaton and a A be a finite execution of 
Ai such that h-trace(a A ) = h-trace(iTA 1 (c(pp xA )). Adding environment actions appropri- 
ately to a pp and a A , we obtain two new finite executions a'pp = w p a P w P a P w P ' ' ' 
and a' A = w 2 a 1 2 w 1 2 a 2 2 w 2 2 ■ ■ ■ of PP and A2, respectively, such that w pp Jtime = 
w i 2 Jtime, for all i £ N, and either a pp = a- 2 , or a pp = e or a- 2 = e, for all i £ N + . 
The addition of environment actions to a pp and a A is intended to generate two new finite 
executions a' pp and a' A of PP and A2, respectively, in which the limit times of the trajec- 
tories in a' pp and a' A are equal, the actions in a pp and a A shared by PP and Ai appear 
in both hybrid executions a pp and a' A , the internal actions of PP and the input actions 
of PP on ports other than port j appear as environment actions in a' A , and the internal 
actions of Ai appear as environment actions in a pp . Also, it is important to note that all 
the environment actions added to a pp and a A to obtain a pp and a' A , respectively, corre- 
spond to inert r's and do not appear in the hybrid traces h-trace(a'pp) and h-trace(a' A ), 
i.e., h-trace(a'pp) = h-trace(ir pp(a PPxA )) and h-trace(a' A ) = h-trace(-K A 1 (a p p xA )). 

Let a j- = WQa\W\aiWi ■ ■ -aiWi, for some i £ N, be a finite hybrid execution comprised of 
a collection wo, w\, W2, ■ ■ ■ ,Wi of trajectories of PP X Ai and a collection a\, 0,2, ■ ■ ■ , ««• of 
actions of PP X A2, such that: 

1. a j- = woaiWia2W2 ■ ■ -aiWi is a hybrid execution of PP X A2, 

o / \ PP PP PP PP PP PP PP J 

2. TTpp(ai) = Kg of wj Oj a)" ' ' ' a i w \ 1 an d 

3. ir A2 ( ai ) = w£ 2 a^ 2 wf 2 af 2 wf 2 ■ --a^wf 2 . 

By induction on the length i of the finite execution a,-, we show the existence of a,-, for all 
i £ N, and, moreover, the existence of a finite execution a = woaiWia2W2 • • • of PP X A2 
comprised of a collection wo, w\, W2, ■ ■ ■ of trajectories of PPx A2 and a collection a\, 0,2, ■ ■ ■ 
of actions of PP X A2, such that 7rpp(a) = a pp and ^^2(0;) = a' A . 

For the base case, consider the finite execution ao = t»o of length 0. Since h-trace(a'pp) = 
h-trace(-Kpp(app xA )), h-trace(a' A ) = h-trace(-K J s Ll (app xA )), and w pp Atime = w 2 Jtime, 
it follows that w p (t)(z) = w 2 (t)(z), for all z £ -Epp Ea 2 and i £ [0, w p Jtime]. Thus, 
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the valuations of w p and w 2 are compatible, for all t G [0,w p Jtime], and the trajectory 
wo with domain [0, w p Jtime] can be defined as vjq = w p U w 2 . By the definition of %, 
it follows that ftpp(wo) = w pp and ir Al ( w o) = w q 2 ■ Moreover, these two conditions imply 
that wo is a hybrid execution of PP X Ai- 

For the inductive step, assuming that the finite execution a^ satisfies the Properties 1, 2, 
and 3, for i = k, we must show that there exists a finite execution cifc+i that satisfies the 
Properties 1, 2, and 3, for i = k + 1. Let a^+i = a f+i? if a k+i 7^ e ' anc ^ a k+i = a fc+i' °th~ 
erwise. Since h-trace(a'pp) = h-trace(ir pp(a PPxA )), h-trace(a' A ) = h-trace(iT Al (a pPxA )), 
and w p Jtime = w^ 2 Jtime, for all i' G N, it follows that (w p a P w P ■ ■ ■ a P w P «f+i 
p( w k+i-j state)) Jtime = (w 2 a 1 2 w 1 2 ■ ■ -a k 2 w k 2 a k 2 x p{w k 2 v f state)) Jtime and w|T 1 (i)(2;) = 
u; fc ? 1 (i)(^), for z G -Epp H E A2 and i G [0,tu|T 1 ./fime]. Thus, the valuations of w PP r 
and w^j^ are compatible, for all t G [O^^fj.Itime], and the trajectory w^+i with domain 
[OiW^^Jtime] can be defined as w^+i = Wjl+i ^ w fc+i- By the definition of a^+i an d w^+i 
it fohows that r Kpp(p(v)kJstate)ak+\V)k+\) = p(w PP Jstate)a PP 1 w PP 1 and 7r j 4 2 (p(wfc. Istate) 
(ik+iWk+i) = p(w k 2 Jstate) a k j_ 1 w k ? 1 . Thus, from the induction hypothesis it follows that 
the finite hybrid execution cifc+i = W0CI1W1CI2W2 ■ ■ ■ ak{wk" ~ p{ w kJ s ~t a t e )) a k+i w k+i = wqciiWi 
ci2V)2- • -ak+i w k+i satisfies the conditions iTpp(ak+\) = w pp a PP w PP ■ ■ ■a k + 1 w k P 1 and 
KA 2 ( a k+i) = w 2 a 1 2 w 1 2 ■ ■ ■ a k l 1 w k ? 1 . Moreover, these two conditions imply that the hy- 
brid execution cifc+i is a hybrid execution of PP X A2, as needed. 

From the above induction, it follows that there exists a hybrid execution a of PP X A2 
such that irpp(a) = a' pp and ir A2 (a) = a A • However, recall that the execution a' pp 
of PP is derived from the execution ^Pp( a pp xA ) by adding environment actions which 
correspond to inert r's and do not appear in the hybrid trace of a' pp . Therefore, the 
execution a' pp of PP starts in a state in S and is restricted to states is R and, moreover, 
a' pp Jstate = Kpp(a pPxA Jstate). Finally, since A2 guarantees G in PP from S given R it 
follows that a'ppJstate G G. Moreover, since a'ppJstate = ^pp{(^p PxA Jstate), it is the case 
that Kpp(app xA Jstate) G G, as needed. I 

We end this section with several compositional theorems for protectors. The first two the- 
orems consider the composition of two or more independent protectors. The third theorem 
considers the composition of two protectors, one of which depends on the other; that is, 
a one-way protector dependency. The fourth and fifth theorems consider the composition 
of two or more protectors that depend on each other; that is, two-way and multiple-way 
protector dependencies. 

Theorem 3.1.3 Suppose that A\ and A2 are protector automata for PP, with respective 
port sets K\ and K2, where K\ n ii'2 = 0- Suppose that A\ guarantees G\ from S\ given 
R\ and A2 guarantees G2 from S2 given R2. If the protectors A\ and A2 are compatible, 
then their composition A\ X A2 is a protector that guarantees G\ P\ G2 from S\ P\ S2 given 
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R x r\R 2 . 

Proof: Let a be any finite execution of the HIOA PP X A\ X A 2 that starts in a state 
in 5i fl 5*2 and whose states are restricted to the set R\ n R 2 . Moreover, iet a A be the 
projection of a to the HIOA PP X A\, i.e., a A = 7rpp Xv 4 1 (a). Since the execution a starts 
in a state in S\ P\ S 2 and is restricted to the states in R\ fl R 2 , the same applies to the 
projected execution a A . However, since A\ guarantees G\ from S\ given R\ , S\ fl 5*2 C S\ , 
and Ri P\ R 2 C R\, it follows that all reachable states of PP in a A are in G\. Since a A is 
the projection of a to the automaton PP X A\, it follows that all reachable states of PP in 
a are in G\ also. 

Taking a similar projection of the execution a to the automaton PPx A 2 , the desired result 
follows. I 



Theorem 3.1.4 Suppose that A\,A 2 , ... ,A k are protector automata for PP, with respec- 
tive port sets K\, K 2 , . . . , K k , where K{ fl iiV = 0, for all i, i' £ {1, . . . , k}, i ^ i' . Suppose 
that each of the protectors A{, for all i £ {1, . . . , k}, guarantees G{ from S{ given R{. If 
the protectors A\,A 2 ,... ,Ak are compatible, then their composition n i p -fi k'\ ^i is a 
protector that guarantees f] i £ n k > Gi from H 8 - e {i k\ $i 9^ ven fl i e {i k} Ri- 

Proof: Let a be any finite execution of the HIOA PP X ]]|f{i k\ ^i that starts in a 
state in Hip {i k\ $i an d whose states are restricted to the set P| 8 - e n k \ R{. Moreover, 
let a A be the projection of a to the HIOA PPx A^, for some i' £ {1, . . . ,k}, i.e., 
a Ai = irppxA , (ot). Since the execution a starts in a state in f] ie r t k \ Si and is restricted 
to the states in Hie {i k} Rii ^ ne same applies to the projected execution a Ai . However, 
since Ai> guarantees Gi> from Si> given i? 8 /, Hieji k} '^i - ^i'-, and Hieji k} Ri - Ri'-> 
it follows that all reachable states of PP in a A are in Gi'. Since a A is the projection of 
a to the automaton PPx A^, it follows that all reachable states of PP in a are in Gi> also. 

Taking similar projections of the execution a to each of the automata PP X Aiu, for all 
i" £ {1, . . . ,k}, the desired result follows. I 



Theorem 3.1.5 Suppose that A\ and A 2 are protector automata for PP, with respective 
port sets K\ and K 2 , where K\ fl K 2 = 0. Suppose that A\ guarantees G\ from S\ given R\ 
and A 2 guarantees G 2 from S 2 given R 2 fl G\. If the protectors A\ and A 2 are compatible, 
then their composition A\ X A 2 is a protector that guarantees G\ fl G 2 from S\ fl 5*2 given 
R X C\R 2 . 

Proof: Let a be any finite execution of the HIOA PP X A\ X A 2 that starts in a state 
in 5i fl 5*2 and whose states are restricted to the set R\ fl R 2 . Moreover, let a A be the 
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projection of a to the HIOA PP X A\, i.e., a A = 7rpp Xv 4 1 (a). Since the execution a starts 
in a state in S\ P\ S2 and is restricted to the states in R\ n P2, the same applies to the 
projected execution a A . However, since A\ guarantees G\ from S\ given R\ , S\ P\ S2 C S\ , 
and i?i fl i?2 C i?x, it follows that all reachable states of PP in a A are in Gi. Since a A is 
the projection of a to the automaton PP X A\, it follows that all reachable states of PP in 
a are in Gi also. 

Now, let a A be the projection of the execution a to the automaton PP X Ai- Since the 
execution a starts in a state in S\ P\ S2 and is restricted to the states in Pi fl P2, the 
same applies to the projected execution a A . From above however, all reachable states in 
a are in G\ and, therefore, it follows that the execution a A is restricted to the states in 
Pi fl R2 fl G\. However, since A2 guarantees G2 from S2 given P2 fl Gi, S\ P\ S2 C 6*2, and 
Pi fl P2 fl Gi C P 2 fl Gi, it follows that all reachable states of PP in a A are in G2. Finally, 
since a A is the projection of a to the automaton PP X A2, it follows that all reachable 
states of PP in a are in G2 also. I 

The fourth and fifth composition theorems require a preliminary lemma. 

Lemma 3.1.6 Suppose that A is a protector automaton for PP, with port set K . Suppose 
that A guarantees G from S given R P\ G' . 

Let a be any finite execution of PP X A starting in S and all of whose states are in P. 
Letting (i,t,s) be any state occurrence in a, if s (j£ G then (i,t,s) £ past(G',a). 

Proof: Suppose for the sake of contradiction that s (j£ G and (i,t,s) (j£ past(G',a). Let a\ 
be the prefix of a ending with (i,t,s). Then, all states of a\ are in G'. Since A guarantees 
G from S given P fl G', it follows that all states of a\ are in G. But this contradicts the 
assumption that s (j£ G. I 

Now we can prove the fourth composition theorem — the one involving a two-way protector 
dependency. 

Theorem 3.1.7 Suppose that A\ and A2 are protector automata for PP, with respective 
port sets K\ and K2, where K\ nii'2 = 0- Suppose that the protector A\ guarantees G\ from 
S\ given R\ fl G2 and the protector A2 guarantees G2 from S2 given P2 fl Gi . 

Assume that a is any finite execution of the system PP X A\ X A2, starting from a state in 
S\ fl 5*2 and all of whose states are in R\ fl P2 . 

Then, one of the following holds: 

1. Every state in a is in G\ fl G2. 

2. The finite execution a can be written as a\*~ (X2, where 
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(a) all state occurrences in a\ except possibly the last are in G\ P\ Gi, 

(b) the last state occurrence in a\ is in G\ if and only if it is in Gi, and 

(c) all state occurrences in ai except possibly the first are in past(Gi, a)P\past(G2, a). 

Proof: Fix a as in the hypothesis. If every state in a is in G\ P\ Gi then we are done, so 
assume that some state in a is in G\ U Gi- Let B\ and Bi denote G\ and G2, respectively. 

Let Wi be the first trajectory in a containing an occurrence of a state in B\ U B2, and 
suppose that W{ is a Tj-trajectory. Let T^ be the subset of T 1 consisting of all t such that 
(i,t,Wi(t)) G past(Bi U B2,a). Then, Tj is a non-empty subinterval of T 1 that is "upward- 
closed", i.e., if t G Tj, t' G Tj, and t < t' then t' G Tj. Since Tj is an interval of reals, it has 
a left endpoint t, which might or might not itself be in T'p Let s = Wi(t). 

Then, we claim that splitting a exactly at (i,t,s) yields the needed decomposition into a\ 
and ci2. There are three conditions to check: 

1. All state occurrences in a\ except possibly the last are in G\ P\ Gi- 
This is true by the definitions of past and T'p 

2. s G G\ if and only if s G Gi- 

Suppose that s G B\. Then, Lemma 3.1.6 implies that (i,t,s) G past(B2,a). How- 
ever, the definition of Tj implies that no state occurrence preceding (i,t,s) is in Bi- 
Therefore, it follows that s G Bi- 

Similarly, if s G Bi then s G B\ . 

3. All state occurrences in ci2 except possibly the first are in past(Bi,a) n past(B2, a). 

Consider any state occurrence (i',t',s') in ci2 other than the first. By definition of 
ci2 and past, it must be that (i',t',s r ) G past(Bi U B2,a). Suppose, without loss of 
generality, that (i 1 , t', s') G past(Bi, a). This means that either (i 1 , t', s') G B\, or there 
is a state occurrence (i",t",s") preceding (i',t',s r ) in a such that (i",t",s") G B\. 

In the former case, Lemma 3.1.6 implies that (i',t',s') G past(B2,a). In the latter 
case, Lemma 3.1.6 implies that (i",t",s") G past(B2,a). This in turn implies that 
(i',t',s') G past(B2,a). This suffices. 



In the following theorem, we extend the composition theorem of the two-way protector 
dependency case to the multiple-way protector dependency case; that is, the case in which 
the operation of each of the protectors within a prespecified set of protectors relies on the 
operation of all the other protectors in the set. 
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Theorem 3.1.8 Suppose that A\,Ai, ... ,A k are protector automata for PP, with respec- 
tive port sets K\, K2, ■ ■ ■ , Kk, where K{ P\ K^ = 0, for all i, i' £ {1, . . . , k}, i 7= i' . Sup- 
pose that each of the protectors A{, for all i £ {1, . . . ,k}, guarantees Gi from Si given 

R if) \f)i' e{i,...,k},i'fr Gl ')' 

Assume that a is any finite execution of the system PP X II ; f {1 k\ ^-«> storting from a 

state in f] i £ n k -. Si and all of whose states are in P| 8 - e n k \ Ri. 

Then, one of the following holds: 

1. Every state in a is in f] ie n k \ Gi. 

2. The finite execution a can be written as a\~~ ai, where 

(a) all state occurrences in a\ except possibly the last are in f] ie n k \ Gi, 

(b) if the last state occurrence in a\ is in Gi, for some i £ {1, . . . ,k}, then there 
exists i' £ {1, . . . ,k},i' 7= i, such that the last state occurrence in a\ is in Gi', 
and 

(c) all state occurrences in a.^ except possibly the first are in f] ieI past(Gi,a), for 
some I C {1, . . . , k}, where \I\ > 2. 

Proof: Fix a as in the hypothesis. If every state in a is in P| i £ ^ k \ Gi then we are done, 
so assume that some state in a is in |J i £ n k -, Gi. For all i £ {1, . . . , k}, let Bi denote 
Gl. 

Let Wj be the first trajectory in a containing an occurrence of a state in U i e {1 k\ Bi, 
and suppose that Wj is a Tj-trajectory. Let Tj be the subset of T 1 consisting of all t such 
that (j,t,Wj(t)) £ pas£(U 8 '6{i k\ Bi,a). Then, Tj is a non-empty subinterval of Tj that 
is "upward-closed", i.e., if t £ Tj, t' £ T/, and t < t' then t' £ Tj. Since Tj is an interval of 
reals, it has a left endpoint t, which might or might not itself be in Tj. Let s = Wj(t). 

Then, we claim that splitting a exactly at (j, t, s) yields the needed decomposition into a\ 
and a.2- There are three conditions to check: 

1. All state occurrences in a.\ except possibly the last are in P| 8 - e n k i Gi. 
This is true by the definitions of past and Tj. 

2. If the last state occurrence in a\ is in Gi, for some i £ {1, . . . ,k}, then there exists 
i' £ {1, . . . , £;}, i' 7= i, such that the last occurrence in a\ is in G^. 

Suppose that s £ Bi, for some i £ {1, . . . ,k}. Then, Lemma 3.1.6 implies that 

(j,t,s) £ pas<(r|,-'e{i,...,fc},,-Y,-G ! .-'>«)> Le -i 0\M) G pastf\) v £ {1) ... )fc})t - Y ,- B,,, a). 
The definition of Tj implies that no state occurrence preceding (j, t, s) is in the set 
Ui'e{i,...,it},i'^i Bi'. Therefore, it follows that s £ Ui' e{i,...,fc},;'^; Bi'- This suffices. 
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3. All state occurrences in a.^ except possibly the first are in H i e j past(G{, a), for some 
I C {1,... , k}, where |/| > 2. 

Consider any state occurrence (j',t',s') in a.^ other than the first. By definition of a 2 
and past, it must be that (j',t',s r ) G past(\J ie r t k \ Bi,a). Suppose, without loss 
of generality, that (j',t',s') G past(Bi,a), for some i G {1, . . . ,k}. This means that 
either (j',t',s') G B{, or there is a state occurrence (j",t",s") preceding (j',t',s') in 
a such that (j",t",s") G B % . 

In the former case, Lemma 3.1.6 implies that the state occurrence (j', t' , s') satisfies the 
condition (j',t',s') G pasf(P|j-; e ^ k\i'fr Gi',a), which is equivalent to (j',t',s') G 
pasi(Ui'e{i k\ %<+% Bi'i a )- I n the latter case, Lemma 3.1.6 implies that the state 
occurrence (j", t" , s") satisfies the condition (j" , t" , s") G past(f] 8 -, £ ^ fc i «; GV, a), 
which is equivalent to (j",t",s") G P as ^(U 8 'f {1 kM'fr Bi>,a). This in turn implies 
that (j',t',s r ) G P«si(Ui'e{i,...,it},i'^i Bi'i a )- This suffices. 



3.2 An Abstract Protector 

In this section, we define an abstract protector that is parameterized in terms of: 

• PP, a particular physical plant automaton, 

• R, G, and S , sets of states of PP, 

• j, a particular port of PP, and 

• d, a positive real- valued sampling period. 

The PP automaton represents the physical plant being modeled. The set R is the set of 
states to which we restrict the states of the PP automaton while considering a particular 
protector. This set is usually comprised of states satisfying a particular property of the 
physical plant that is required by the protector under consideration. The set G is the set of 
"good" states; that is, the set of states to which the protector is designed to constrain the 
PP automaton. The set S is a set of states from which the protector under consideration 
is said to guarantee G given R; that is, given that the states of the PP automaton are 
restricted to the set R, the protector guarantees that every finite execution starting from an 
initial state in S ends in a state in G. The protector communicates with the PP automaton 
through the port j and has a positive real- valued sampling period d. 

The protector is composed of a sensor automaton and a discrete controller automaton as 
shown in Figure 3.1. Both the sensor and the discrete controller are described abstractly 
in terms of PP, etc. At intervals of d time units, the sensor automaton samples the output 
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Figure 3.1 Compositional structure of a physical plant and an abstract protector. 
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variables of the PP automaton. The discrete controller automaton is rather nondetermin- 
istic. Based on the output state information of the PP automaton sampled by the sensor, 
the discrete controller issues protective actions so as to guarantee that the PP automaton 
stays within the set G starting from S given R. 

A particular instantiation of the abstract parameterized protector Abs(PP, S, R, G,j, d) can 
be defined by simply specifying the parameters PP, S , R, G, j, and d. Often, after explicitly 
defining the parameters PP, S , R, G, j, and d, we refer to the particular abstract protector 
using only its port index, i.e., Absj. The same applies for the parameterized sensor and 
discrete controller automata Sensor{PP, S, R, G,j, d) and DC(PP, S, R, G,j, d), respectively. 

In several of the following chapters, we give explicit definitions of protectors for specific 
choices of PP, etc. The abstract protector of this section is used to aid in proving correctness 
of the later protectors. 

3.2.1 Terminology and Assumptions 

In this section, we define several functions and sets, which are useful in the definition and 
in the proof of correctness of the abstract protector, and present the assumptions made 
about the physical plant and the abstract protector automata. It is important to note 
that the assumptions presented in this section must be satisfied by any physical plant and 
abstract protector automata defined and analyzed using the framework developed in this 
thesis. Throughout this section, we also state several lemmas which are used in subsequent 
sections and chapters. 

We begin by stating two simple assumptions about the physical plant automaton. First, 
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we assume that the PP automaton has no input variables on port j, for all j G J; that 
is, the protectors control the state of the physical plant only through input actions. A 
consequence of this assumption is that the environment action of the PP automaton is 
stuttering. Second, we assume that the PP automaton has no output actions on port j, for 
all j G J. The physical plant is modeled as a passive system in the sense that the protectors 
observe the state of the plant only through output variables. These two assumptions are 
formally stated by the following two axioms. 

Axiom 3.2.1 The PP automaton has no input variables on any of its ports, i.e., Upp = 0, 
for all j G J . 



Axiom 3.2.2 The PP automaton has no output actions on any of its ports, i.e., Spp = 0, 
for all j G J . 

Next, we define a function, future PP R -, that yields the set of states of PP that are R- 
reachable from the given subset of R within an amount of time in the given subset of M- , 
under the constraint that no input actions arrive on port j of the PP automaton. 



future PPRrj 


: V(R) X 


V(R^ 


)^V(R), 


defined by: 








p G future PPRj 


(P,T) 


where P C R and T C E^° 


if and only 


if 


p is i?-reachable 


from some p' G 


P via 


a finite execution fragment a 


of PP with i 


no 


input actions on 


port j 


and with 


a.ltime G T. 











When either argument of the function future PP R • is a singleton set, we omit the set 
brackets, e.g., for any p G R and t G K-°, we write future PP R Ap,i) as shorthand for 
future PP R j({p},{t}). Moreover, it is important to note that the function future PP R • de- 
pends on the automaton PP, the set R, and the port j. Henceforth however, when the 
automaton PP, the set R, and the port j are clear from context, they are omitted; that is, 
we use the notation future instead of future PP R :. 

Lemma 3.2.1 For all P, P' C R, T,T' C R^°, and t,t' G R-°, the following are true: 

1. If P C P' andT C T' then future PPR] (P,T) C future PPR] (P' ,T'). 

2. future PPR] {P, t + t') = future PPR] {juture PPR] {P, t),t'). 

3. PCfuture PPiRij (P,0). 

4- future PPR j(future PPR j(P,T),T') = future PPR j(P,T"), where T" = {r + t' \ t G 
T andr 1 G T'}. 

Proof: Follow directly from the definition of the function future. I 
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Lemma 3.2.2 Suppose that it is any discrete action of PP other than an input action on 
port j and that p,p' £ R such thatp—^ pp p' . Then, for any T C ]R-° ; future PP R Ap 1 ' ,T) C 
future PPR] (pX) ■ 



Proof: Lemma 3.2.1, part 1, and the fact that p' £ future(p,0) imply that future(p',T) C 
future(future(p, 0), T). Moreover, Lemma 3.2.1, part 4, implies that future(future(p, 0), T) = 
future(p,T). Therefore, it follows that future(p',T) C future(p,T), as needed. I 

We define a function, no-op PP R ■, which yields, for a given state in R, the set of input 
actions on port j of the PP automaton that do not affect the state of the PP automaton, 
provided they are executed prior to either time-passage, or other input actions on port j. 



no-op PP R j : R — ► V(Yj v pp ), defined by: 

7r £ no-op PP r Ap) if and only if it is an input action on port j of PP such that 
for all p' ,p" £ R satisfying p' £ future PP R Ap, 0) and p' —^ PP p" , it is the case that 



p" = p'. 



Henceforth, for any state p in R, the input actions in the set no-op PP R Ap) are referred to 
as no-op input actions on port j of PP for the state p. 

It is important to note that the above definition of the function no-op PPR j conforms to 
Axiom D3 of the HIOA model of Section 2.2 since, by Axiom 3.2.1, the PP automaton 
has no input variables on any of its ports. Moreover, the function no-op PP R • depends on 
the automaton PP, the set R, and the port j. Henceforth however, when the automaton 
PP, the set R, and the port j are clear from context, they are omitted; that is, we use the 
notation no-op instead of no-op PP R •. 

We proceed by stating another assumption about the physical plant automaton PP. We 
assume that there exist no-op input actions on port j for every state of the PP automaton 
in the set R. This assumption is formally stated by the following axiom. 

Axiom 3.2.3 For every p £ R, it is the case that no-op PP R Ap) ^ 0. 

Axiom 3.2.3 states that no-op input actions on port j exist for every state p of PP in R. It is 
important to realize, however, that Axiom 3.2.3 does not claim that for p £ R it is possible 
to determine from the valuation y = p\Y PP of the output variables of the PP automaton 
which input actions are no-op input actions on port j for the state p. In fact, it is plausible 
that the information provided by the output variables Y PP of the PP automaton is not 
sufficient to determine which of the input actions Spp are no-op input actions on port j 
for each state p of the PP automaton in the set R. 

Since the PP automaton is assumed to have no input actions on any of its ports (Ax- 
iom 3.2.1), input actions of the physical plant are often "idempotent", in the sense that in 
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any execution of the PP automaton if any particular input action it on port j is performed 
consecutively multiple times with no other intervening input actions on port j, then all such 
input actions it except the first, do not change the state of the PP automaton. For any 
physical plant automaton PP in which all input actions are idempotent and any state p of 
the PP automaton in the set R, the most recently performed input action on port j is a 
no-op input action on port j for the state p. 

We define a set, very-safe PP RG •, which is comprised of the states of PP that satisfy R and 
from which all i?-reachable states of PP with no input actions on port j are in G. The set 
very-safe pp RG • may be interpreted as the set consisting of the states from which the PP 
automaton is bound to remain within the set G provided that it remains within the set R 
and the protector on port j does not retract or issue additional protective actions. 



very-safepp RG j C R, defined by: 

p G very-safepp RG j if and only if future PP R Ap, M- ) C G. 



It is important to note that the set very-safepp RG ■ depends on the automaton PP, the 
sets R and G, and the port j. Henceforth however, when the automaton PP, the sets R 
and G, and the port j are clear from context, they are omitted; that is, we use the notation 
very-safe instead of very-safepp RG ■. 

Lemma 3.2.3 

1. very-safepp RG] C G. 

2. If p G very-safepp RG ■ then future PP R (p, M- ) C very-safe PP RG ■. 

Proof: Follow directly from the definition of very-safe. I 

We define a set, safe P p RG j, which is comprised of the states of PP that satisfy R and from 
which the protector on port j has a "winning protective strategy". Namely, there exists an 
input action on port j of the PP automaton whose immediate execution — its execution 
prior to any time-passage with the possibility that its execution follows an arbitrary number 
of discrete actions other than input actions on port j — guarantees that all subsequent R- 
reachable states of PP with no input actions on port j are in G; that is, the state following 
the execution of the particular input action of PP on port j is in the set very-safe PP R G •. 



safepp RG j C R, defined by: 

p G safe P p RG j if and only if both of the following hold: 

1. future PPR ,j(p,Q) C G. 

2. There exists an input action it on port j, such that for every p' ,p" G R satisfying 
p' G futurepp R (p, 0) and p' —^ PP p" , it is the case that p" G very-safepp R G ■. 
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It is important to note that the set safe PP RG ■ depends on the automaton PP, the sets R 
and G, and the port j. Henceforth however, when the automaton PP, the sets R and G, 
and the port j are clear from context, they are omitted; that is, we use the notation safe 
instead of safe PP RG • . 

We overload the notation safe PP RG • by defining a function, safe PP RG •, which yields the 
states of PP that satisfy R and for which the immediate execution of the given input action 
on port j — its execution prior to any time-passage with the possibility that its execution 
follows an arbitrary number of discrete actions other than input actions on port j — guar- 
antees that ah subsequent i?-reachable states of PP with no input actions on port j are in 
G; that is, the state following the execution of the given input action on port j is in the set 
very-safe PPRGj . 



safe P p RG j : Spp — ► V(R), defined by: 

p G safepp R G j(ir) if and only if both of the following hold: 

1. future PPtRtj (p,0) C G. 

2. For every p',p" G R such that p' G future PP R •( p, 0) and p' —^ PP p" , it is the 
case that p" G very-safe PP RG •. 



It is important to note that the function safe PP RG • depends on the automaton PP, the 
sets R and G, and the port j. Henceforth however, when the automaton PP, the sets R 
and G, and the port j are clear from context, they are omitted; that is, we use the notation 
safe(ir) instead of safe PP R G ,-(vr), for any input action it of PP on port j. 

Lemma 3.2.4 

1. safe PPRG] C G. 

2. For any p G R, p G safe PP R G • if anc? only if future PP R Ap, 0) C safe PP RG • . 
5. very-safe PPRGj C safe PPRGj . 

Proof: 

1. Let p be any state in sa/e. From the definition of sa/e it follows that future(p, 0) C G. 
Therefore, Lemma 3.2.1, part 3, implies that p G G. It follows that safe C G. 

2. In the forward direction, let p G sa/e and p' G future(p,0). We must show that 
p' G sa/e; that is, we must show that (i) future(p',0) C G, and (ii) there exists an 
input action it on port j such that for all p",p'" G R satisfying p" G future(p',0) 
and p" ^-^ P p p'" , it is the case that p'" G very-safe. Lemma 3.2.2 implies that 
future(p', 0) C future(p, 0) and, therefore, the conditions to be shown follow from 
the fact that p G safe. 
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For the converse, let p £ R and future(p, 0) C safe. We must show that p £ safe. 
From Lemma 3.2.1, part 3, it is the case that p £ future(p,0). Therefore, it follows 
that p £ safe. 

3. Letting p £ very-safe, we must show that p £ safe; that is, we must show that 
(i) future(p, 0) C G, and (ii) there exists an input action it on port j such that for all 
p',p" £ R satisfying p' £ future(p, 0) and p' —^ PP p" , it is the case that p" £ very-safe. 

For the first condition, Lemma 3.2.1, part 1, implies that future(p, 0) C future(p, M- ). 
However, since p £ very-safe it is the case that future(p, M- ) C G. Therefore, it 
follows that future(p, 0) C G, as needed. 

For the second condition, since no-op(p) ^ by Axiom 3.2.3, let it £ no-op(p). 
Moreover, let p',p" £ R such that p' £ future(p, 0) and p' —^ PP p" ■ Since p £ very-safe, 
Lemma 3.2.3, part 2, implies that p' £ very-safe. Moreover, since it is defined to be a 
no-op input action on port j for the state p, it follows that p" = p'. Therefore, it is 
the case that p" £ very-safe, as needed. 



We proceed by stating two more assumptions about the PP automaton. We assume that 
membership of a state of the PP automaton in the set safe is determinable from the output 
variables of the PP automaton, i.e., the set safe is Ypp-determinable (as defined in Sec- 
tion 2.1). Moreover, we assume that for any state in the set safe, an appropriate action to 
guarantee safety can be determined from the output variables of the PP automaton, i.e., the 
variables in Ypp. These two assumptions are formally stated by the following two axioms. 

Axiom 3.2.4 safe PP RG • is Ypp-determinable. 

For any valuation y of the output variables Ypp of the PP automaton, we use the notation 
y £ safe to denote the existence of a state p £ safe such that p\Ypp = y. In fact, by 
Axiom 3.2.4, for any valuation y of the output variables Ypp of the PP automaton, the 
existence of a state p £ safe such that p\Ypp = y implies that all states p' £ R such that 
p' \Ypp = y are in the set safe. 

Axiom 3.2.5 There exists a function, decision, from valuations of Ypp to Spp such that 
for any y £ Ypp and p £ R satisfying p\Ypp = y, it is the case that if y £ safe PP RG • then 
p £ safepp RG] (d.Bci.si.0Ti(y)). 

We define a function, delay-safe PP R G •, which yields the set of states of PP that satisfy R 
and for which all states i?-reachable within the given amount of time and with no input 
actions on port j are in G, and all states i?-reachable in exactly the given amount of time 
and with no input actions on port j are in safe PP RG •. 

40 



delay-safepp R g j : M- —> V(R), defined by: 

p G delay-safepp R G At) if and oniy if both of the following hold: 

1. future PPR] (p, [0,i]) C G. 

2. futurep PR] (p,t) C safe PPRG] . 



It is important to note that the function delay-safe PP RG • depends on the automaton PP, 
the sets P and G, and the port j. Henceforth however, when the automaton PP, the sets P 
and G, and the port j are clear from context, they are omitted; that is, we use the notation 

3 PP,R,G, 3 ( 



delay-safe(t) instead of delay-safepp RG At), for any t £ M- . 



Lemma 3.2.5 For any t,t' G M.- , such that t < t' , the following hold: 

1. very-safe PPRG] C delay-safe PPRG] (t). 

2. safe PPRG] = delay-safepp RG] {0). 

3. delay-safepp R G At') C delay-safepp R G At). 

Proof: Follow directly from the definitions of very-safe, safe, and delay- safe(t), for any 
t £ R-°, and the Lemmas 3.2.3 and 3.2.4. ■ 

We conclude by stating three assumptions made about the abstract protector automaton. 
In particular, we assume that the state information provided by the output variables of the 
PP automaton is sufficient to determine membership of any state of the PP automaton in 
the sets P and G, i.e., the sets P and G are Ypp-determinable (as defined in Section 2.1). 
Moreover, we assume that the set of start states S is a subset of the set safe. These 
assumptions are formally stated by the following three axioms. 

Axiom 3.2.6 P is Ypp-determinable. 

Axiom 3.2.7 G is Ypp-determinable. 

Axiom 3.2.8 S C safe PP RG •. 

As noted above, all assumptions described by Axioms 3.2.1-3.2.8 must be satisfied by the 
physical plant and abstract protector automata defined and analyzed using the framework 
developed in this thesis. 

3.2.2 Sensor Automata 

The sensor automaton Sensor^, defined in Figure 3.2, behaves as follows: at time and every 
d time units thereafter, it outputs the valuation y of the output variables Ypp of the PP 
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Figure 3.2 Sensorj automaton definition. 



Actions: Input: e, the environment action 

Output: snapshot(y)j, for each valuation y of Ypp, i.e., for all y G Ypp 

Variables: Input: u G type(u), for all u G Ypp, initially u G type(u), for each u G Ypp 



Internal: 



Discrete Transitions: 



nowj G 



»>o 



, initially 



next-snap ■ G K- , initially 



Eff: Ypp :G Ypp 



snapshot(y)j 

Pre: next-snap: = nowj 

y is current valuation of Ypp 
Eff: Ypp :G Ypp 

next- snap: := no«?j + rf 



Trajectories: 

for all u G Ypp 

u assumes arbitrary values in type(u) throughout w 
next-snap: is constant throughout w 
for all t G T z 

w(t).nowj = w(0).nowj + t 
w(t).nowj < w(t). next-snap: 



automaton using a snapshot(y)j output action. The Sensorj automaton keeps track of the 
appropriate times for scheduling each snapshot(y)j action, for y G Ypp, using the internal 
variables nowj and next-snap:. The variable nowj stores the time that has elapsed from the 
beginning of the particular execution of the Sensorj automaton. The variable next-snap ■ 
stores the next point in time in which the output variables Ypp of the PP automaton must 
be sampled. 

The discrete actions of the Sensorj automaton are the input action e and the output actions 
snapshot(y)j, for all y G Ypp. The environment action e allows for arbitrary changes to the 
input variables Ypp as a consequence of discrete transitions outside the Sensorj automaton 
but does not affect the local variables of the Sensorj automaton. Each snapshot(y)j action, 
for y G Ypp, outputs the valuation y of the output variables Ypp of the PP automaton. In 
order to conform to Axiom D3 of the HIOA model of Section 2.2, each input variable u of 
the Sensor j automaton, for u G Ypp, is assigned an arbitrary value in the set type(u). It 
can easily be seen that the Sensorj automaton satisfies the Axioms Dl— D3 of the HIOA 
model of Section 2.2. 
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The trajectory specification for the Sensorj automaton gives restrictions on a trajectory 
w with domain Tj. Since the Sensorj automaton has no controi over its input variabies, 
the input variabies of the Sensorj automaton are allowed to change arbitrarily throughout 
a trajectory w. It is important to note that the Sensorj automaton does not allow time- 
passage unless the condition nowj < next-snap ■ is satisfied. As a result, in order for time 
to proceed when nowj = next-snap •, a snapshot(y)j output action, for some y £ Ypp, 
is eventually scheduled. It can easily be seen that the Sensorj automaton satisfies the 
Axioms T1-T3 of the HIOA model of Section 2.2. 

Finally, since each input variable u of the Sensorj automaton, for u £ Ypp, can initially 
assume an arbitrary value in the set type(u), the Sensorj automaton satisfies Axiom Init 
of the HIOA model of Section 2.2. Since the Sensorj automaton satisfies the Axioms Init, 
D1-D3, and T1-T3 of the HIOA model of Section 2.2, it follows that it is a HIOA. 

3.2.3 Discrete Controller Automata 

The discrete controller automaton DCj, defined in Figure 3.3, uses the valuation of the 
output variables of the PP automaton, which is sampled by the Sensorj automaton, to 
determine which protective action must be scheduled so as to guarantee that (i) the PP 
automaton remains within the set G up to the next sampling point, and (ii) the state of 
the PP automaton at the next sampling point is in the set safe. 

The discrete actions of the DCj automaton are the input action e, the input actions 
snapshot(y)j, for all y £ Ypp, and the output actions it, for all it £ Spp . The envi- 
ronment action e allows the scheduling of discrete transitions outside the DCj automaton. 
Since the DCj automaton has no input variables, the environment action e is stuttering; 
that is, the execution of the environment action e does not affect the state of the DCj au- 
tomaton. Each snapshot(y)j action, for y £ Ypp, determines which output action it in the 
set Spp should be scheduled and stores it in the internal variable sendj. In a subsequent 
step, prior to any time-passage but with the possibility of intervening discrete actions, the 
DCj automaton schedules the output action it that is stored in the internal variable sendj. 
It is important to note that time-passage is not enabled while any of the actions it in Spp is 
enabled. As a result, in order for time to proceed, the action it that is stored in the internal 
variable sendj is eventually scheduled. It can easily be seen that the Sensorj automaton 
satisfies the Axioms Dl— D3 of the HIOA model of Section 2.2. 

The trajectory specification of the DCj automaton is trivial. It simply states that the 
internal variable sendj, which comprises the state of the DCj automaton, remains unchanged 
and equal to null throughout any trajectory of the DCj automaton. It can easily be seen 
that the DCj automaton satisfies the Axioms Tl— T3 of the HIOA model of Section 2.2. 

Finally, since the DCj automaton has no input variables, Axiom Init of the HIOA model 
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Figure 3.3 DCj automaton definition. 



Actions: Input: e, the environment action (stuttering) 

snapshot(y)j, for each valuation y of Y PP , i.e., for all y £ Ypp 
Output: 7r, for all it £ Spp , i.e., all the input actions on port j of PP 
Variables: Internal: sendj £ Spp U {mill}, initially null 



Discrete Transitions: 



Eff: None 



snapshot(y)j 

Eff: if y £ safe PP RG • then 

senrfj :£ {(^> £ Spp | V p,p',p" £ i? such that 

p\Ypp = y, p' £ future PPRj (p, 0), and p' -^ 
it is the case that p" £ delays aje PP RG j(d)} 
else 



senrfj :£ X 



pp P •) 



PP, 



Pre: senrfj = it 
Eff: senrfj := null 

Trajectories: 

w.send;, = null 



of Section 2.2 it trivially satisfied. Since the DCj automaton satisfies the Axioms Init, 
D1-D3, and T1-T3 of the HIOA model of Section 2.2, it follows that it is a HIOA. 

The DCj automaton's decision as to which output action to enable and subsequently sched- 
ule is made nondeterministically. Let y be any valuation of the output variables Y PP of the 
PP automaton, i.e., y £ Ypp. 

On one hand, if y £ safe, then an output action (f> in T, l pp is allowed only if for all p, p', p" £ R 
such that p\Y PP = y, p' £ future(p, 0), and p' — ^ PP p" , it is the case that p" £ delay-safe(d). 
Let $ be the set of all output actions (f> in Spp allowed by the DCj automaton in this case. 
In order for an implementation of a particular instantiation of the DCj automaton to exist, 
it is imperative that the set of output actions $ be non-empty and that at least one of 
the actions in $ can be determined from the valuation y of Y PP . In fact, since y £ safe, 
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an output action it in Spp that is allowed by the DCj automaton is guaranteed to exist, 
i.e., $ ^ 0. Axiom 3.2.4 implies that for all p £ R such that p\Ypp = y it is the case 
that p £ safe, i.e., for all p £ R such that p\Ypp = y, there exists an action it in Spp 
such that for all p',p" £ R satisfying p' £ future(p,0) and p' —^ PP p" , it is the case that 
p" £ very-safe. Therefore, from Lemma 3.2.5, part 1, it follows that p" £ delay-safe(d), as 
needed. Moreover, by Axiom 3.2.5, an output action it in Spp that is allowed by the DCj 
automaton can be determined from the valuation y of Ypp; that is, there exists a function, 
decision, from valuations of Ypp to Spp , such that for any y £ Ypp and p £ R satisfying 
p\Ypp = y, it is the case that p £ sa/e(decision(y)). 

On the other hand, if y £" safe, then any output action it of the _DCj automaton is allowed by 
default. However, as shown in the following section, this default case never occurs in states 
that are i?-reachable by a finite execution of the composed system PP X Sensorj X DCj 
starting in an initial state in the set S . 

The nondeterminism in the description of the DCj automaton allows the freedom to choose 
any response that satisfies the given conditions — however, in any discrete controller au- 
tomaton implementation, a response that least restricts the future states of the physical 
plant automaton PP would be preferred because it would represent a weaker protective 
action. 

Henceforth, let the "abstract protector" automaton Absj be the composition of the Sensorj 
and DCj automata, i.e., Absj = Sensorj X DCj. Proposition 2.7.1, implies that the au- 
tomaton Absj is a HIOA. 

3.2.4 Correctness of the Abstract Protector 

In this section, we prove that the abstract protector Absj guarantees G in the physical 
plant PP from S given R. 



Lemma 3.2.6 For any reachable state s of Abs(PP, S,R,G,j,d), if s. next-snap ■ = s.now 



'j> 



then s.sendj = null. 



Proof: Follows directly from the definition of the Sensorj and the DCj automata. I 

The following lemma considers the composition PP X Absj of the physical plant automa- 
ton PP and the abstract protector automaton Absj. Let s be any state of the composed 
system and let s.ppstate be the restriction of s onto the state space of the PP automaton, 
i.e., s.ppstate = s\Vpp. 

Lemma 3.2.7 The following are true in any state s of PP X Abs(PP, S , R, G , j, d) , that 
is reachable from an initial state in safe PP RG •, via an execution that only involves states 
in R. 
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1. If s.sendj = null, then s.ppstate £ delay-safe PP RG j(s. next-snap j — s.nowj). 

2. If s. send j = (f>, for some (f> £ Spp , then 



(a) future P p R J s.ppstate, 0) C G, and 

{„.*„.„. tpp ^. 



(b) For every p',p" £ R such that p' £ future PP R As. ppstate, Q) and p' —^ PP p" , it 



is the case that p" £ delay-safe PP RG Ad). 

Proof: In an initial state of PPx Absj it is the case that s.sendj = null. Therefore, since the 
first clause of the invariant applies, we must show that s.ppstate £ delay- safe(s. next- snap j — 
s.nouij). However, in an initial state PPxAbsj it is the case that s. next-snap: = s.nouij = 0. 
Therefore, we must show that s.ppstate £ delay-safe(O), which by Lemma 3.2.5, part 2, is 
equivalent to s.ppstate £ safe. But this is true by our assumption about the start states of 
the executions considered in this lemma. 

We now show that the invariant is preserved by every discrete transition s -^ s' of PPxAbsj, 
for s,s' £ states(PP X Absj) such that s.ppstate, s' .ppstate £ R and it £ T,pp X Abs ■ We 
consider cases: 

1. 7r = snapshot(y)j. 

From the effects of the snapshot(y)j action, it follows that s' .sendj £ Xpp . Therefore, 
we must show the second clause of the invariant for the state s'; that is, we must 
show that (a) future(s' .ppstate, 0) C G, and (b) for every p',p" £ R such that p' £ 
future(s' .ppstate, 0) and p' > pp p" , it is the case that p" £ delay-safe(d). 

Lemma 3.2.6 and the precondition of the snapshot(y)j action imply that s.sendj = 
null. Therefore, the invariant for s implies that s.ppstate £ delay-safe(s. next-snap: — 
s.nouij). Since the precondition of the snapshot(y)j action implies that s. next-snap: = 
s.nouij, it follows that s.ppstate £ delay-safe(O). Therefore, Lemma 3.2.5, part 2, im- 
plies that s.ppstate £ safe. 

For condition (a), since s.ppstate £ safe, it is the case that future(s. ppstate, 0) C G. 
Since the snapshot(y)j action affects only the sendj of the DCj automaton and the 
PP automaton has no input variables on any of its ports, it is the case that s' .ppstate = 
s.ppstate. Therefore, it follows that future(s' .ppstate, 0) C G, as needed. 

For condition (b), since s.ppstate £ safe, the "then clause" of the determination of 
s' .sendj is used. Therefore, the discrete step s -^ s' sets the variable s' .sendj to some 
(f> in Spp with the property that for every p',p" £ R such that p' £ future(s' .ppstate, 0) 

i 

and p' — > pp p", it is the case that p" £ delay-safe(d), as needed. 

2. 7TGE&.. 

The precondition implies that s.sendj = it ^ null. Therefore, the invariant for the 
state s implies that future(s. ppstate, 0) C G and that for every p',p" £ R such that 
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p' G future(s. ppstate, 0) and p' —^ PP p", it is the case that p" G delay-safe(d). As a 
result of the step, it is the case that s' .sendj = null and s' .next- snap: — s' .nowj = d. 
Moreover, the invariant for the state s implies that s' .ppstate G delay-safe(d). Since 
s' .next- snap: — s' .nowj = d and s' .ppstate G delay-safe(d), it follows that s' .ppstate G 
delay- safe(s' .next- snap: — s'.nowj), as needed. 

3. 7r G T<pp — Spp (vr is a discrete action of PP other than an input action on port j). 

For any discrete action it of the PP automaton other than an input action on port j, it 
is the case that s. sendj = s' .sendj, s.nowj = s'.nowj, and s. next- snap a = s' '.next- snap ■. 

If s. sendj = null, then the invariant for s implies that s. ppstate G delay-safe(t), where 
t = s. next- snap j—s. now j; that is, future(s. ppstate, [0,i]) C G and future(s. ppstate, t) C 
safe. However, Lemma 3.2.2 implies that future(s' .ppstate, t) C future(s. ppstate, t), 
for all t G K-°. Since s.next-snapj — s.nowj = s' '.next- snap ■ — s'.nowj, it follows that 
future(s' .ppstate, [0,i]) C G and future(s' .ppstate, t) C safe, where t = s 1 '.next- snap ■ — 
s'.nowj. These two conditions imply that s' .ppstate G delay- safe(s' .next- snap ■ — 
s'.nowj). This yields the invariant. 

A similar argument holds if s. sendj = (j), for some (f> G Spp . . In this case, the invariant 
for s implies that future(s. ppstate, 0) C G and that for every p',p" G R such that p' G 
future(s. ppstate, 0) and p' — > pp p", it is the case that p" G delay-safe(d). However, 
Lemma 3.2.2 implies that future(s' .ppstate, 0) C future(s. ppstate, 0). Therefore, it 
follows that future(s' .ppstate, 0) C G and that for every p',p" G R such that p' G 
future(s' .ppstate, 0) and p' — > pp p" , it is the case that p" G delay-safe(d). This yields 
the invariant. 

4. 7r = e (it is the environment action). 

Since the input variables of the Sensor-j automaton are the output variables of the PP 
automaton, the DCj automaton has no input variables, and the PP automaton has 
no input variables on any of its ports, it follows that the composition PP X Absj has 
no input variables. Therefore, the action it is the stuttering environment action, i.e., 
s' = s, and the invariant for the state s implies the invariant for the state s' . 

Finally, we show that the invariant is preserved by any non-trivial closed trajectory w in 
WppxAbs ■ Suppose that the states s and s' , for some s,s' G states(PP X Absj) such that 
s. ppstate, s'. ppstate G R, are the first and last states of the trajectory w, respectively. Since 
time-passage is enabled, it is the case that sendj = null throughout the trajectory w. There- 
fore, the invariant for the state s implies that s. ppstate G delay- safe(s. next- snap ■ — s.nowj); 
that is, future(s. ppstate, [0, s. next- snap a — s.nowj]) C G and future(s. ppstate, s. next- snap a — 
s.nowj) C safe. We must show that s 1 .ppstate G delay-safe(s' ' .next- snap ■ — s'.nowj); that 
is, future(s' .ppstate, [0,s ! . next-snap j — s' .nowj]) C G and future(s' '.ppstate, s 1 ' .next-snap ■ — 
s'.nowj) C safe. It suffices to show that future(s' .ppstate, [Q,s'. next- snap j — s' ' .nouij]) C 
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future(s. ppstate, [0,s. next-snap: — s.nowj]) and future(s' .ppstate, s' .next-snap: — s'.nowj) C 
future(s. ppstate, s. next-snap: — s.nowj). 

From the fact that s' .ppstate £ future(s. ppstate, w.ltime) and Lemma 3.2.1, part 1, it fol- 
lows that future(s' .ppstate, [0, s' '.next- snap: — s' .now j]) C future(future(s. ppstate, w.ltime), [0, 
s' .next- snap: — s'.nowj]). But Lemma 3.2.1, part 4, implies that future(future(s. ppstate, 
w.ltime),[0,s'. next-snap: — s' .nowj]) = future(s. ppstate, [w. Itime, s' .next-snap: — s' .nowj + 
w.ltime]). Moreover, from Lemma 3.2.1, part 1, it follows that future(s. ppstate, [w.ltime, 
s' .next- snap: — s' .nowj + w.ltime]) C future(s. ppstate, [0, s'. next-snap: — s' .nowj + w.ltime]). 
Finally, since s' .next-snap: — s' .nowj + w.ltime = s. next-snap: — s.nowj it follows that 
future(s' .ppstate, [0, s' .next-snap: — s' .nowj]) C future(s. ppstate, [0,s. next-snap: — s.nowj]), 
as needed. 

Using similar arguments, it can be shown that future(s' .ppstate, s' .next-snap: — s'.nowj) C 
future(s. ppstate, s.next-snapj — s.nowj). I 

Lemma 3.2.8 For any state s of PP X Abs(PP, S,R,G,j,d) that is reachable from an 
initial state in safe PP RG ■ via an execution that only involves states in R, it is the case that 
s. ppstate G G. 

Proof: If s.sendj = null then Lemma 3.2.7 implies that the state s. ppstate is in the set 
delay- safe(s. next- snap: — s.nowj), which implies that future(s. ppstate, 0) C G. On the other 
hand, if s.sendj ^ null, then Lemma 3.2.7 implies that future(s. ppstate, 0) C G. Thus, in 
either case it is the case that future(s. ppstate, 0) C G. Finally, Lemma 3.2.1, part 3, implies 
that s. ppstate £ G. I 

Theorem 3.2.9 Abs(PP, S,R,G,j,d) guarantees G in PP from safe PP RG ■ given R. 

Proof: Let s be any state of the composed system PP X Absj that is reachable from an 
initial state in safe via an execution that only involves states in R. Then, Lemma 3.2.8 
implies that s. ppstate £ G, as needed. I 

Corollary 3.2.10 Abs(PP, S , R, G , j, d) guarantees G in PP from S given R. 

Proof: Follows directly from Theorem 3.2.9 and Axiom 3.2.8. I 
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Chapter 4 



Modeling a System of n Vehicles 



In this chapter, we present a model for a simplified version of the PRT 2000™ system 
under development at Raytheon Corporation. The physical plant model involves n vehicles 
traveling on a single track. Since this thesis is only concerned with safety, the details of the 
operation of the physical plant and the aspects of the system geared towards performance 
are omitted. 

The model, called VEHICLES, is a HIOA and conforms to the restrictions on the PP au- 
tomaton of Section 3.1 and the assumptions about the PP automaton of Section 3.2. We 
describe in detail the aspects of the physical plant model that were only abstract in Sec- 
tions 3.1 and 3.2. These include: the state variables, the initial states, the discrete actions, 
and the trajectories of the PP automaton. Moreover, we define several auxiliary derived 
variables and sets that are used extensively by the protector automata presented in the 
following chapters. 

The state variables of the VEHICLES automaton include the position, the velocity, and the 
acceleration of each vehicle and several other variables that record whether the vehicles of 
each of the vehicle pairs have collided into each other, whether each vehicle is braking, and 
whether each protector is requesting each vehicle to brake. The set of initial states is the 
set of states of the VEHICLES automaton that satisfy the physical properties of the system. 
The input actions are used by the protectors to instruct the vehicles to apply or release 
their "emergency" brakes, and the internal actions model the possibility that vehicles stop 
suddenly or collide among themselves. The trajectories model the motion of the vehicles 
with time, within their physical constraints. 



49 



4.1 Physical Plant: VEHICLES 

In this section we describe the automaton VEHICLES, which models a set of n vehicles 
traveling on a single track. For simplicity, all the vehicles are assumed to have identical di- 
mensions and acceleration/deceleration capabilities. The formal definition of the automaton 
VEHICLES and the formal definition of the derived variables and sets used in its definition 
are given in Figure 4.1 and Table 4.1, respectively. Their informal definitions follow. 

The set / is the set of vehicles being modeled in the VEHICLES automaton. Each vehicle is 
identified by an element of this set. As described in Section 3.1, the set J is the set of ports 
that are used by the VEHICLES automaton to interact with the various protectors. In this 
setting, each of the protectors uses a single port to interact with the VEHICLES automaton. 
Therefore, the port index is often used to specify the protector itself. 

The output variables of the VEHICLES automaton are the variables X{, for i £ /, the vari- 
ables &i, for i £ I, and the variables collided(i, i'), for i, i' £ I,i' ^ i. Each of the variables X{, 
for i £ /, is the position of the vehicle i. The position of each vehicle i, for i £ /, is repre- 
sented by a single point on the real line, i.e., X{ £ M., for i £ /, and specifies the position of 
the rear of the vehicle i on the track. The section of the track occupied by each vehicle i, 
for i £ /, often referred to as the extent of the vehicle i, is defined to be the section of track 
ranging from the position of the rear of the vehicle i to the point on the track that is a 
distance of c\ en downstream of the rear of the vehicle i. The distance c\ en is the minimum 
allowable separation between vehicles; that is, the length of the vehicle plus any desired ex- 
tra margin specified by the system designer. The extent of each vehicle i, for i £ I, is given 
by the derived variable E{\ that is, E{ = \x{,X{ + ci en ], for i £ I. Each of the variables X{, 
for i £ /, is the velocity of the vehicle i. The vehicles are only allowed to move forward on 
the track and, therefore, their velocities are restricted to be non-negative, i.e., X{ £ M- , for 
all i £ I. Once a vehicle in the VEHICLES automaton has collided, its velocity is assumed 
to be arbitrary. 

Each output variable collided(i , i') , for i' £ I,i' ^ i, denotes whether the vehicle i has 
ever collided into the vehicle i' . For shorthand, each of the derived variables collided(i , *) , 
for i £ /, denotes whether the vehicle i has ever collided into any of the other vehicles, 
i.e., collided(i,*) = \J it £ j 8 -, / 8 - collided(i,i'), and each of the derived variables collided^* , i) , 
for i £ I, denotes whether any of the other vehicles have ever collided into the vehi- 
cle i, i.e., collided(*,i) = \/ 8 -, eI 8 -,/ 8 - coUided(i',i). Moreover, each of the derived vari- 
ables collided^* , i , *) , for i £ I, denotes whether the vehicle i has ever been involved in 
a collision; that is, either whether the vehicle i has ever collided into any other vehi- 
cle, or whether any other vehicle has ever collided into the vehicle i. In logical terms, 
collided^* , i , *) = collided^* , i) V collided(i , *) . Finally, the derived variable collided de- 
notes whether any of the vehicles have ever collided among themselves, i.e., collided = 
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Figure 4.1 The VEHICLES automaton. 



Actions: 

Input: 



e, the environment action (stuttering 
brake(i)j, for all i £ J, j 6 J 
unbrake(i) J , for all i £ I,j £ J 



Internal: 

colliding-pair(i, i ), for all i, i £ 7, i 7^ i 
collision-ef f ects(i), for all i £ 7 
brick-wall(i), for all i £ 7 



Discrete Transitions: 



Eff: 
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brake(i) 
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X 1 . — 











else 


X 1 . — 


Cbrake 



Variables 

Internal: 
x% £ R, for all i £ 7, initially x t £ K 
brake(i) £ Bool, for all i £ 7, 

initially False 
brake-req(i, j) £ Bool, for all i £ 7, j £ 7, 
initially False 
Output: 
ii £ K, for all i £ 7, initially x 8 £ K 
i 8 £ K, for all i £ 7, initially i; £ K 
collided(i, 1 ' ) £ Bool, for all i, i £ 7, i 7^ i, 
initially False 
subject to VALID 



unbrake(i) J 
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Pre: 
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i, *) 






Eff: 


ii -.eR-° 

i % :£R 








brick-i 


uall(i) 








Pre: 


True 








Eff: 


x t := 










if brake(i) 


then 


X 1 . 


:= 






else 


X 1 . 


£ [0,c, 



Trajectories: 

for all i, i £ I,i ^ i , collided(i, i ) is constant throughout to 

for all i £ 7 and j £ 7, brake(i) and brake-req(i, j) are constant throughout to 

for all i, i £ 7, i 7^ i 

the function wj.£ 8 is integrable 
for all t £ T 7 

w(t).x t = w(0).ii + J Q w(s) 
w(t).x t = w(0).Xi + J w(s) 
if -<w.coUided(i, i ) 

A(w(t).E t nw(t).E t , / 0) 
A(w(t).Xi < mm(w(t).E t n w(t).E t i)) 
then 

i = w.ltime 
subject to VALID 



.x, ds 
.i, ds 



\l i e / collided(i, *) = V M < e / j8 ^ 8 < collided^, i'). 

The internal variables of the VEHICLES automaton are the variables Xi, for i £ I, the 
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Table 4.1 Derived variables and sets used in the definition of the VEHICLES automaton. 

Ei£V(M.), defined by 

Fji — yxi , Xi -\- c\ en j 

collided(i, *) £ Bool, for i £ 7, defined by 
collided(i, *) = \J collided(i, i') 

i' G I,i'^ii 

collided^*, i) £ Bool, for i £ 7, defined by 
collided^* , i) = \J collided{i! ,i) 

i' G I,i'^ii 

collided^*, i, *) £ Bool, for i £ 7, defined by 

collided^*, i, *) = collided^*, i) V collided(i, *) 

VALID C s^es(vEHlCLEs), defined by 

VALID = {p £ s^a^es(vEHiCLEs) | 

1. J i, i' £ 7, i 7^ i 1 such that the set p.-E 1 ; P\p.E{i is a positive length closed 
interval of M . 

2. p.ij > 0, for all i £ 7. 

3. If -ip.collided(*, i, *) then p.'i{ £ [c msn , c maa; ], for all i £ 7. 

4. If -ip.collided(*,i,*) A p.brake(i) then if p.i; = then p.ii; = else p.'i{ = 
Cbrake, for all i £ 7. } 



variables brake(i), for i £ I, and the variables brake-req(i,j), for i £ / and j £ «/. Each of 
the variables Xi, for i £ /, is the acceleration of the vehicle i. If no vehicle collisions involving 
a particular vehicle i have occurred, then (i) the acceleration of the vehicle i is bounded 
above and below as follows: x % £ [c mm ,c max ], where c mm ,c max £ E and c mm < < c max , 
and (ii) if the vehicle i is braking, its acceleration is given by X{ = Cbrake, where Cbrake & ^ 
and c m in < Cb ra ke < 0. The difference between the minimum acceleration and the braking 
acceleration reflects a conservative estimate of the effect of a vehicle's braking system. 
Once a vehicle in the VEHICLES automaton has collided, its acceleration is assumed to be 
arbitrary and its braking system is assumed to be malfunctioning. Each of the boolean 
variables brake(i), for i £ /, denotes whether the vehicle i is braking. Each of the boolean 
variables brake-req(i,j), for i £ I and j £ «/, denotes whether the protector j is requesting 
the vehicle i to brake. It is assumed that each vehicle applies its "emergency" brake while 
any of the protectors is requesting it, i.e., brake(i) = V? e j brake-req(i,j), for all i £ I. 
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The input actions of the VEHICLES automaton are the environment action e and the actions 
brake(i)j and unbrake(i)j, for i £ I and j £ J. Since the VEHICLES automaton has no 
input variables, the environment action e is stuttering and its specification is omitted from 
the definition of the VEHICLES automaton. Each of the actions brake(i)j and unbrake(i)j, 
for i £ I and j £ «/, correspond to actions performed by the protector j instructing the 
vehicle i to apply or release its "emergency" brake, respectively. It is important to note that 
the acceleration of the vehicle i is not set by the actions brake(i)j and unbrake(i)j unless 
the variable brake(i) gets toggled by the action being performed. Therefore, the brake(i)j 
and unbrake(i)j actions do not affect the acceleration of the vehicle i when brake(i) = True 
and -ibrake(i) \/ I \/ -, eJ ■,,■ brake-req(i,j r ) j = True, respectively. 

For simplicity, the set of input actions of the VEHICLES automaton includes the actions 
brake(i)j and unbrake(i)j, for i £ I and j £ J; that is, the VEHICLES automaton allows 
each protector j, for j £ «/, to brake each vehicle i, for i £ I. However, it is often the 
case that a protector j, for some j £ J, need not schedule but a subset of the actions 
brake(i)j and unbrake(i)j, for i £ I. In such cases, the protector j is specified as having 
only the output actions that it is capable of scheduling and the remaining input actions of 
the VEHICLES automaton on port j are ignored. 

The discrete actions brick-wall(i), for i £ I, colliding-pair(i, i'), for i,i' £ I,i ^ i', and 
collision-eff ects(i), for i £ I, are the internal actions of the VEHICLES automaton. Each 
brick-wall(i) action, for i £ I, models the instantaneous stopping of the vehicle i — as if 
it hit a brick wall. Thereafter however, the vehicle i is allowed to reinitiate forward motion. 
The effects of the brick-wall(i) action are to set the velocity of the vehicle i to zero and 
the acceleration of the vehicle i to an arbitrary non-negative value within the prespecified 
acceleration bounds. It is important to note that if the vehicle i was braking prior to the 
execution of the brick-wall(i) action, the brick-wall(i) action sets the acceleration of 
the vehicle i to zero. Each colliding-pair(i, i') action, for i,i' £ I,i ^ i', records the fact 
that the vehicle i has collided into the vehicle i'. The colliding-pair(i, i') action sets the 
boolean variable coUided(i,i r ) to True. A collision between two vehicles is assumed to take 
place when the vehicles have overlapping extents. However, since the trailing vehicle is the 
only vehicle that can prevent the collision through braking, the collision is recorded only by 
the trailing vehicle as if the trailing vehicle were the only vehicle liable for the particular 
collision. Following a collision, the velocity and the acceleration of the vehicles involved 
in the collision are unconstrained and each vehicle's braking system is assumed to be mal- 
functioning. Each collision-eff ects(i) action, for i £ I, models the adverse effects of a 
collision involving the vehicle i and may be executed, even repeatedly, at any instant of time 
following the first collision involving the vehicle i. The collision-eff ects(i) action sets 
the velocity and the acceleration of the vehicle i to arbitrary values. The system is modeled 
such that a collision allows but does not dictate immediate effects on the velocity and the 
acceleration of the vehicles involved in the collision; that is, collision-eff ects(i) and 
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collision-eff ects(i') actions do not necessarily follow a colliding-pair(i, i') action. 

All discrete actions of the VEHICLES automaton, except the collision-effects actions, 
model the behavior of the vehicle as if no collisions had ever occurred. Once a vehicle has 
been involved in a collision, it is unknown whether the vehicle has incurred any damage 
and, therefore, its operation is uncertain. If the vehicle has not been damaged then its 
operation is modeled as if the vehicle had not collided. On the other hand, if the vehicle 
has been damaged, the malfunctioning vehicle apparatus is modeled by succeeding each of 
the discrete actions with a collision-effects action for the malfunctioning vehicle. 

The definition of the VEHICLES automaton restricts the initial states and the trajectory 
states to the set VALID. The formal definition of the set VALID is given below and is 
included for reference in Table 4.1. 



VALID C 


states(VEHICLES 


), defined as 


the set of states of the VEHICLES 


automaton that 


satisfy the following 


conditions: 










1. 


$ i,i' G I,i 7^ i 


', such that the set E{ 


fl E{i is a 


positive length closed interval 




of R. 












2. 


ii > 0, for all i 


el. 










3. 


If ^collided(*, i 


*) then Xi G 


[Cmim Cmaxji IOr ^U 


iei. 




4. 


If ^collided(*, i 

iei. 


*) A brake(i) 


then if x 


j = then 


<Aj 1 — \j fc!-Lofc! tV 


— c brakei l or all 



The restriction of the states of the VEHICLES automaton to the set VALID enforces some of 
the physical properties of the system. The first two conditions restrict the vehicle extents to 
be non-overlapping and the vehicle velocities to be non-negative. The vehicles are, however, 
allowed to "touch", i.e., their extents are allowed to intersect at a single point. The final 
two properties only apply for vehicles that have not been involved in a collision. The 
third condition specifies the range of allowable vehicle acceleration and the fourth condition 
specifies the correct acceleration for a vehicle that is braking. Recall that once a vehicle has 
collided, its velocity and acceleration are assumed to be arbitrary and its braking system is 
assumed to be malfunctioning. 

The trajectories of the VEHICLES automaton only affect the position, the velocity, and the 
acceleration of the vehicles of the VEHICLES automaton — the remaining variables of the 
VEHICLES automaton remain constant throughout the trajectories. The position and the 
velocity are assumed to be the integrals of the velocity and the acceleration, respectively. 
The acceleration is assumed to be changing arbitrarily throughout a trajectory with the 
restriction that all states of the trajectory remain within the set VALID. Finally, if a 
vehicle i collides into a vehicle i' for the first time, the trajectory is stopped so that the 
collision can be recorded by a colliding-pair(i, i') action. 

The VEHICLES automaton complies with the assumptions made about the PP automaton 
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in Section 3.2.1. The VEHICLES automaton has neither input variables, nor output actions, 
on any of its ports (Axioms 3.2.1 and 3.2.2, respectively). Moreover, the actions brake(i)j 
and unbrake(i)j, for each vehicle i £ I satisfying the conditions brake-req(i,j) = True and 
brake-req(i,j) = False, respectively, are no-op input actions on port j for any R C VALID. 
Therefore, the set of no-op input actions on each port j £ J and any R C VALID is 
non-empty (Axiom 3.2.3). 

4.2 Sets of Guarantee and Reliance for the VEHICLES 
Automaton 

The protectors presented in the following chapters are designed to guarantee that the VEHI- 
CLES automaton remains within sets of states that are considered "good". In other words, 
the protectors are designed to keep the VEHICLES automaton from reaching states that are 
considered "bad" or hazardous. Bad or hazardous states involve vehicles that are either 
above the speed limit, or that have collided with each other. Sets of states that are con- 
sidered "good" are informally referred to as sets of guarantee. Moreover, it is often the 
case that protectors rely on the restriction of the states of the VEHICLES automaton to sets 
comprised of states that exhibit particular properties of the VEHICLES automaton. Such 
sets of states are informally referred to as sets of reliance. 

In the case of exceeding the speed limit, the set P 0V erspeed(i) 1S the subset of VALID comprised 
of the states in which the vehicle i is above the speed limit. Let the maximum allowable 
velocity be given by c max . 



Povers P eed(i) ^ VALID, for i G /, defined by 

-^overspeed(i) — XP G VALID | p.Xi > C max j. 



Then the set P 0V erspeed = Ui p / PoverspeedU) ls the subset of VALID comprised of the states 
in which at least one of the vehicles is above the speed limit, and the set P no t-overspeed = 
VALID — Poverspeed is the subset of VALID comprised of the states in which none of the 
vehicles are above the speed limit. 

In the case of vehicle collisions, the set P co iiided(i,i') 1S the subset of VALID comprised of the 
states in which the vehicle i has collided into the vehicle i'. 



Pcollided(i,i>) ^ VALID, for i,i' e I,i ^ i', defined by 

Pcollided(i,i>) ={?£ VALID | p.collided(i,i') = True}. 



Then the set P colM ed(i) = U;' e ;,«^, Pcollided(i,i>) is the subset of VALID comprised of the 
states in which the vehicle i has collided into at least one of the other vehicles. Moreover, the 

set Pcoiiided = U e / P colUded(i) = Ui,i' e i,ifr> P colUded(i,i') is the subset of VALID comprised 
of the states in which at least two distinct vehicles have collided into each other. Finally, 
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Table 4.2 Sets of guarantee and reliance for the VEHICLES automaton. 
Poverspeed{i) Q VALID, for i £ L, defined by 

Poverspeed(i) = \P £ VALID \ p.X{ > C max ) 

Poverspeed Q VALLD, defined by 

i overspeed — { j ±overspeed(i) 
i€ I 

Pnot-overspeed Q VALLD, defined by 

±not-overspeed — VA-L1U r overspeed 

PeoiUded(i,i<) Q VALLD, for i, i' <E L, i ^ i' , defined by 

Peoiuded(i,i') ={?£ VALLD | p.collided(i, i') = True} 

PeoiUded(i) Q VALLD, defined by 

i collided(i) — { j ^ collided(i,i') 

i' 6 I,i'^i 

P collided C VALID, defined by 

± collided — M ±collided(i) — M * collided(i ,i r ) 

i G / i,i' G I,i^i' 

Pnot-coiUded C VALID, defined by 

Pnot-collided = VALLD — L 'collided 



the set Pnot-collided = VALID — Pcoiiided is the subset of VALID comprised of the states in 
which none of the vehicles have collided among themselves. 

The sets of guarantee and reliance defined in this section comply with the assumptions 
made in Section 3.2.1; that is, the sets of guarantee and reliance defined in this section are 
YvEHicLEs-determinable (Axioms 3.2.6 and 3.2.7). 

For reference, the formal definitions of the sets of guarantee and reliance defined above 
appear in Table 4.2. These sets are extensively used in the definitions of the overspeed and 
collision protectors presented in the following chapters. 
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Table 4.3 Auxiliary derived variables for the VEHICLES automaton. 
stop-distf G M-°, for all i G /, defined by 
stop-dis^ 






2c 



brake 



max-range^ii) G M-°, for all i E I and t G M-°, defined by 

Xil\t -\- 2^max ^^ T C ma;r ^T ^-^J ? 



max-range^t) = < 



where At = min t 



Xil\l-\- 2 Cbrake^t ~\~ C rnax \I l\<>)] 



2 l 

where At = min (t, 



it Xi < c maX) and 



otherwise. 



max-vek(t) G M^°, for all i G J and t G R-°, dehned by 

7 /i\ I ^^l^masi ^z T tGmax ) H ^z _^ Cmax ? and 

max-veli(t) = < 

[max(c m(II , ij + tc hrake ) otherwise. 

ftCl, for all i G J, dehned by 

Oi = [xi,Xi + stop-disti + c len ] 

d(t) C M, for all i G I and t G M^°, dehned by 

C;(t) = [xi,Xi + max-range^t) - max-vek(t) 2 /(2c hrake ) + c len ] 

4.3 Auxiliary Derived Variables and Auxiliary Sets for the 
vehicles Automaton 

This section presents several auxiliary derived variables and sets for the VEHICLES automa- 
ton. These variables and sets are used extensively in the following chapters. 

For any state p in VALID, the auxiliary derived variables for any vehicle i £ I and time 
t G K-° are dehned in Table 4.3. If the vehicle i is abiding by the global speed limit c max , 
then the derived variables of Table 4.3 can be interpreted as follows: 

stop-distj, for i G I, is the distance required to stop the vehicle i, assuming a braking 
deceleration equal to Cbrake- 

max-range^t), for i £ I and t G K-°, is the maximum distance the vehicle i can travel in t 
time units, assuming a maximum acceleration equal to c max . 
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max-veli(i), for i £ I and t £ K-°, is the maximum velocity achievable by the vehicle i in t 
time units, assuming a maximum acceleration equal to c max . 

Oi, for i £ I, is the section of the track that the vehicle i "owns"; that is, the range 
extending from the current position of the vehicle i to the point on the track that the 
vehicle can reach even if it is braked immediately. 

Ci(i), for i £ I and t £ M- , is the section of the track that the vehicle i "claims" within t 
time units; that is, the range extending from the current position of the vehicle i to 
the point on the track that the vehicle i can reach if it is braked after t time units 
and assuming worst-case vehicle behavior up to the point in time when it is braked. 

We now define sets of states of the VEHICLES automaton that are used extensively in the 
following example protector chapters. While their formal definitions appear in Table 4.4, 
their informal interpretations are presented below. It is important to note that the in- 
terpretations of the sets disjoint-owned-tracks(i,i r ) and disjoint-claimed-tracks(i,i',t), for 
i,i' £ I,i ^ i', and t £ E-°, are valid provided that ah the vehicles of the VEHICLES 
automaton are abiding by the global speed limit c max . 

disjoint-extents(i,i r ), for i,i' £ I,i ^ i' , is the subset of VALID comprised of the states in 
which the extents of the vehicles i and i' are disjoint. We use Pg to denote the set of 
states in which the extents of all the vehicles are disjoint. 

disjoint-owned-tracks(i,i r ), for i,i' £ I,i ^ i' , is the subset of VALID comprised of the 
states in which the sections of the track owned by the vehicles i and i' are disjoint. 
We use Po to denote the set of states in which all vehicles own disjoint sections of the 
track. If a state of the VEHICLES automaton is not in Po, then it cannot be guaranteed 
that the vehicles will not collide in the future; that is, irrespective of any protection 
action taken, it is possible for some vehicles to collide. 

disjoint-claimed-tracks(i,i',t), for i,i' £ I,i ^ i', and t £ M- , is the subset of VALID 
comprised of the states in which the sections of the track claimed within t time units 
by the vehicles i and i' are disjoint. We use Pctt) to denote the set of states in which 
the sections of the track claimed within t time units by all the vehicles are disjoint. If 
a state of the VEHICLES automaton is not in Pctt) an( i no protective action is taken 
for t time units, then it cannot be guaranteed that the vehicles will subsequently not 
collide; that is, irrespective of any protection action taken after t time units, it is 
possible for some of the vehicles to collide. 

Furthermore, let Pg { be the subset of VALID comprised of the states in which the protector 
communicating with the VEHICLES automaton through the port j is requesting the vehicle i 
to brake, i.e., Pb, = {p £ VALID \ p.brake-req(i,j) = True}. 
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Table 4.4 Auxiliary sets for the VEHICLES automaton. 



disjoint-extents(i, i') C VALID, for i, i' £ 7, i 7^ i', defined by 
disjoint-extents(i, i ) = {p £ VALID \ p.E{ Hp.Eii = 0} 

7^ C 1M777>, defined by 

Pe = fl disjoint-extents(i,i') 

disjoint-owned-tracks(i, i') C VALID, for i, i' £ 7, i 7^ i', defined by 
disjoint-owned-tracks(i, i') = {p £ VALID \ p.Oi Hp.Oi' = 0} 

Po C 1M777>, defined by 

Po = II disjoint-owned-tracks(i,i') 

disjoint-claimed-tracks(i, i' ,t) C VALID, for i, i' £ 7, i 7^ i', and t £ M-°, defined by 
disjoint- daimtd-tracks{i, i' ,t) = {p £ VALID \ p.C'i(t) r\p.Ci'(t) = 0} 

P c(i) C 1M777), for t £ M^°, defined by 

P c u\ = fl disjoint-claimed-tracks(i,i' ,t) 

P Btj C 1M777), defined by 

Pg;. = {p £ VALID I p.brake-req(i, j) = True} 

4.4 Useful Lemmas for the VEHICLES Automaton 

In this section we prove several useful lemmas that describe particular properties of the 
VEHICLES automaton and its derived variables. 

Lemma 4.4.1 For a// p £ VALID, i £ /, an<7 i £ M- , £/ie following hold: 

1. p.stop-distj > 0. 

#. p.max-range^t) > 0. 

5. p.max-veli(t) > 0. 
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4- If p.ii = then p.stop-distj = 0. 

5. p.max-range^O) = 0. 

6. p.max-veli(O) = p.ii. 

Proof: Follow directly from the definitions of the auxiliary derived variables stop-distj, 
max-range^r), and max-veli(r\ for r G M- . I 

Lemma 4.4.2 For all p G VALID, i G I, and t,t' G M.- , t < t' , the following hold: 

1. p.EiCp.OiCp.Ci(t). 

2. p.Xi = mm(p.Ei) = min(p.0 8 ) = mm(p.Ci(t)). 

3. p.Oi=p.Ci(0). 

4. p.C(t)Cp.C(f). 

Proof: Follow directly from the definitions of the derived variables Ei, Oi, and C'i(T), for 

t g r^°. m 

Lemma 4.4.3 If p,p' G VALID, where p' follows from p in a single discrete action, then 
the following hold: 

1. p 1 .Oi C p.Oi if and only if p'.ii < p.X{. 

2. p'.Ci(t) C p.Ci(t), for any t G M-°, if and only if p'.ii < p.X{. 

Proof: We prove each of the above statements separately. 

1. Recall that Oi = [xi, X{ + stop-dist i + ci en \. Since none of the actions of the VEHICLES 
automaton affect the position of a vehicle, it follows that p'.Xi = p.X{. Therefore, the 
intervals p.Oi and p' .Oi have the same left endpoint, i.e., mm(p.Oi) = mm(p'.Oi). 
Moreover, since the variable stop-dist^ is positively correlated with the velocity of the 
vehicle i, it follows that p 1 .stop-dist i < p.stop-dist i if and only if p'.ii < p.X{\ that is, 
max(p'.Oj-) < max(p.Oj) if and only if p'.ii < p.X{. 

Since min(p.0 8 ) = mm(p'.Oi) and max(p'.0 8 ) < max(p.0 8 ) if and only if p'.ii < p.ii, 
it follows that p' .Oi C p.Oi if and only if p'.ii < p.ii. 

2. Recall that Ci(i) = [xi,Xi + max-range^t) — max-veli(t) 2 /(2c'j ra ^ e ) + Q eri ], for any 
t G M-°. As shown above, it is the case that p'.Xi = p.Xi and, therefore, the intervals 
p.C'i(t) and p'.C'i(t) have the same left endpoint, i.e., mm(p.Ci(t)) = mm(p'.Ci(t)). 
Now, consider the right endpoints of p.C'i(t) and p'.C'i(t). The variables max-range i 
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and max-veli are positively correlated with the velocity of the vehicle i and, therefore, 
it follows that m&x(p' .C'i(t)) < max(p.Ci(i)) if and only if p'.ii < p.ii. 

Since mm(p.C'i(t)) = mm(p'.C'i(t)) and m&x(p'.C'i(t)) < max(p.Ci(i)) if and only if 
p'.ii < p.ii, for any t G K-°, it follows that p'.Ci(t) C p.Ci(t), for any t G K-°, if and 
only if p'.&i < p.ii. 



Lemma AAA If p,p' G VALID, where p' follows from p in a single trajectory, then the 
following hold: 



1. Ifp G P Bij then p'.0 t C p.0 t . 

2. If t G K-° one? Ai G [0,i] is £/ie /imi'f iime o/ £/ie trajectory leading from p to p' , then 
p'.C t (t-At)Cp.C t (t). 

Proof: We prove each of the above statements separately. 

1. Let p G PBi an d consider the left and right endpoints of the intervals p.0{ and p' .0{. 

The left endpoints of p.0{ and p'.Oi are p.X{ and p'.Xi, respectively. Therefore, due to 
the non-negative constraint on the vehicle velocities, it is the case that p.X{ < p'.xf, 
that is, min(p.Oj-) < min(p'.0 8 ). 

Since p G Pg r and because the brake-req(i,j) variable remains constant throughout 
any trajectory of the VEHICLES automaton, the vehicle i keeps braking throughout 
the trajectory from p to p' . From the definition of the variable stop-dist i it follows 
that p.Xi~\-p.stop-dist i = p' .X{ + p' .stop-dist i and, therefore, the right endpoints of p.0{ 
and p'.Oi are equal; that is, max(p'.Oj-) = max(p.Oj-). 

Since min(p.0 8 ) < min(p'.0 8 ) and max(p'.0 8 ) = max(p.Oj-), we can easily conclude 
from the definition of 0{ that p'.Oi C p.Oi. 

2. Let t G 1R- and At G [0,i] be the limit time of the trajectory leading from p to p' 
and consider the left and right endpoints of the intervals p.C'i(t) and p'.C'i(t — At). 

The left endpoints of p.C'i(t) and p' .C'i(t — At) are p.Xi and p'.Xi, respectively. There- 
fore, due to the non-negative constraint on the vehicle velocities, it is the case that 
p.Xi < p'.Xi] that is, mm(p.C'i(t)) < mm(p'.C'i(t — At)). 

Since the variables max-range i and max-veli represent the worst case behavior of the 
system it is the case that p'.Xi < p.Xi + p.max-range^Ai) and p'.ii < p.max-veli(At). 
Since the variables max-rangei an( i max-veli are positively correlated with the velocity 
of the vehicle i and p'.ii < p.max-veli(At), it follows that p'.Xi + p' .max-range^t — 
At) < p.Xi + p.max-rangei(t) and p' .max-veli(t — At) < p.max-veli(t). Therefore, the 
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right endpoint of p.C'i(t) is at least as downstream as the right endpoint of p'.C'i(t — At); 
that is, m&x(p'.C'i(t — At)) < m&x(p.C'i(t)). 

Since mm(p.C'i(t)) < mm(p'.C'i(t — At)) and max(p' .C'i(t — At)) < max(p.C 8 (i)), we 
can easily conclude from the definition of Ci(T), for r £ M- , that p'.Ci(t — At) C 
p.Ci(t). 



Lemma 4.4.5 For all t,t' G R-, t < t' , the following hold: 

1. P C (t) C Po C P E . 

2. Pc(t') ^ p c(t)- 

Proof: Follow from Lemma 4.4.2 and the definitions of P E , Po, an d Pc(t)> f° r T £ 
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Chapter 5 

Example 1: 

Overspeed Protection System 



In this chapter, we present a protector that prevents the vehicles of the VEHICLES automaton 
from exceeding a prespecified speed limit. In an actual system, speed limits may vary from 
one region of the track to another; in this thesis, we assume a single global speed limit c max . 
We define a protector, called OS-PROT, that enforces the speed limit on all vehicles, provided 
that they do not collide among themselves. This protector is defined as the composition 
of n separate copies of another protector called OS-PROT-SOLO;, one copy for each vehicle 
i £ I. Each of the OS-PROT-SOLO; protectors, for i £ /, is an implementation of a particular 
instantiation of the abstract protector automaton of Section 3.2 and guarantees that the 
vehicle i does not exceed the speed limit. 

5.1 Protection System os-prot-solOj- 

The os-PROT-SOL0 8 ' automata, for i £ /, are vehicle-wise overspeed protectors, each of 
which individually guarantees that the vehicle i, for which it is responsible, does not exceed 
the speed limit c max , provided that no collisions among the vehicles occur. Each of the 
os-PROT-SOL0 8 ' protectors, for i £ /, is an implementation of the abstract protector of 
Section 3.2 specialized to particular definitions of the parameters PP, S , R, 67, j, and d. 

The physical plant automaton, PP, is defined to be the VEHICLES automaton of Figure 4.1. 
The port j and the sampling period d are defined to be the port and sampling period with 
which the protector OS-PROT-SOLO; communicates with the VEHICLES automaton. They 
are assumed arbitrary and are fixed for the rest of the chapter. The set R is defined to be 
the set Pnot-collided defined in Section 4.2. This definition restricts the reachable states of the 
VEHICLES automaton to states in which no collisions among the vehicles have occurred. The 
set of "good" states G is defined to be the set of states in which the vehicle i is at or below 
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the speed limit, i.e., G = VALID— P oversV eed{i)- The set of states S is defined to be the set 
safepp RG ■ defined in Section 3.2.1; that is, the set of states of the PP automaton for which 
a single input action of PP on port j can guarantee that, provided no new input actions 
on port j are allowed, all subsequently i?-reachable states will be in G. In Section 3.2.1, 
the definition of safe depended on the automaton PP, the sets R and G, and the port j 
which, at the time, were arbitrary. Here, they are defined to be the automaton VEHICLES, 
the sets P n ot-collided an d VALID— P oversV eed{i)i an( i the port j, respectively; that is, we have 
specialized the definition of safe for these particular definitions of the automaton PP, the 
sets R and G, and the port j. In this chapter, we will use the notation Ri, Gi, and Si to 
refer to the above definitions of the sets R, G, and S. 

The os-PROT-SOL0 8 ' protector automaton is an implementation of the abstract protector 
automaton j 46s(vehicles, Si, Ri, Gi,j, d). As is the case for the abstract protector automa- 
ton Absj, we define the OS-PROT-SOLO; automaton to be the composition of a sensor and a 
discrete controller automaton. These automata are implementations of their abstract equiv- 
alents of Figures 3.2 and 3.3, specialized however, to the above definitions of the parameters 
PP, S , R, G, j, and d. The sensor automaton is precisely the specialization of the sensor 
automaton of Figure 3.2 to the above definitions of the parameters PP, etc. The discrete 
controller automaton is defined in Figure 5.1. 

It is important to note that the abstract protector automaton j 46s(vehicles, Si, Ri, Gi,j, d) 
complies with the assumptions made about the abstract protector in Section 3.2.1. In partic- 
ular, since the vehicle velocity variables are output variables of the VEHICLES automaton, the 
set safe is YvEHicLEs-determinable and actions that guarantee safety can be determined from 
the output variables ^vehicles of the VEHICLES automaton (Axioms 3.2.4 and 3.2.5, respec- 
tively). Moreover, the sets Ri and Gi are YvEHicLEs-determinable (Axioms 3.2.6 and 3.2.7, 
respectively) and the set of start states Si is a subset of the set safe (Axiom 3.2.8), since Si 
is defined to be the set safe. 

In Section 3.1 it was shown that the abstract protector Absj guarantees that the physical 
plant PP remains within G starting from S given R. Similarly, the OS-PROT-SOLO; automa- 
ton guarantees that VEHICLES remains within Gi starting from Si given Ri. This is shown 
in the following section. 



5.2 Correctness of os-prot-solo 



The main result to be shown is that OS-PROT-SOLO; < j 46s(vehicles, Si, Ri, Gi,j, d). How- 
ever, since both OS-PROT-SOLO; and Abs(vEElCLES, Si,Ri,Gi,j,d) involve the composition 
of the same sensor automaton with distinct discrete controller automata, Theorem 2.7.4 ap- 
plies. Therefore, it suffices to show that the discrete controller automaton of OS-PROT-SOLO; 
of Figure 5.1 implements the discrete controller automaton _DC(vehicles, Si, Ri, Gi,j, d) of 
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Figure 5.1 Discrete controller automaton for the protector OS-PROT-SOLO;. 

Actions: Input: e, the environment action (stuttering) 

snapshot(y)j, for each valuation y of ^vehicles 
Output: brake(i)j 

unbrake(i)j 

Variables: Internal: sendj G {brake, unbrake, null}, initially null 

Discrete Transitions: 

snapshot(y)j 

Eff: if (y.ii < c max - dc max ) then 
sendj := unbrake 
else 

send;. := brake 



brakeu) 



Pre: sendj = brake 
Eff: sendj := null 



unbrake(i)j 

Pre: sendj = unbrake 
Eff: sendj := null 



Trajectories: 

w. sendj = null 



Figure 3.3. According to Theorem 2.6.1, this follows by showing that there exists a simula- 
tion relation between the states of the discrete controller automaton of OS-PROT-SOLO; and 
DC(vekicles, Si, Ri,Gi,j,d). We first give some useful set definitions, then prove some 
lemmas, and finally show the existence of such a simulation relation. 

In this section, we use the notation future^ safe;, very-safe;, and delay-safe; to denote the 
specialization of the function future, the sets safe and very-safe, and the function delay-safe, 
which are defined in Section 3.2.1, to the automaton VEHICLES, the sets Ri and Gi, and 
the port j of the OS-PROT-SOLO; protector. Moreover, since the environment action of 
the VEHICLES automaton is stuttering, its consideration is omitted in all inductive proofs 
involving the PP automaton. 

We proceed by defining several sets that are used in the correctness proof of the protector 
os-prot-solo 8 '. For reference, their formal definitions appear in Table 5.1. 

Let Wi be the set of states of the VEHICLES automaton in which none of the vehicles have 
collided and the vehicle i is at or below the speed limit; that is, Wi = Ri P\ Gi. Let 
Vi be the set of states of the VEHICLES automaton in which none of the vehicles have 
collided, the vehicle i is at or below the speed limit, and the protector j is requesting the 
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Table 5.1 Sets used in the correctness proof of OS-PROT-SOLO; 

Wi C VALID, for i £ I, denned by 
Wi = Ri n G 8 - 

V;- C VALID, for i £ I, defined by 

^ = Ri n g,- n p Bii 

Ti C V4Z/D, for i £ 7, defined by 

-^ i — \P t -/Xz I I Cr z ' | p.Xi \ Crnax &Gmax J 



vehicle i to brake; that is, V; = i? 8 - fl £7; fl Pg r . Furthermore, let T 8 - be the set of states 
of the VEHICLES automaton in which none of the vehicles have collided, the vehicle i is 
at or below the speed limit, and the condition X{ < c max — dc max is satisfied; that is, 

±i — \P £ J^i I I (Ji | P'%i _i Cmax d^max J • 

In the following lemma, we show that if we restrict the states of the VEHICLES automaton 
to the set Ri and consider a state in which the vehicle i is at or below the speed limit and is 
being requested to brake by the protector j, then, provided that no new protective actions 
are issued by the protector j, the vehicle i remains at or below the speed limit thereafter. 

Lemma 5.2.1 future t (V^R^°) C G % . 

Proof: Let a be an execution fragment of the VEHICLES automaton of n steps and trajec- 
tories, where n £ N, that: starts in a state in Vi, is only comprised of states in Ri, and 
involves no input actions on port j. Letting Pi n u and Pfi na i be the initial and final states of 
a, respectively, we must show that Pfi na i G G{. The proof is by induction on the length n of 
the execution fragment a. 

For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and, therefore, Pfi na i = Pinit- 
Since p init £ V % and V % C G 8 , it follows that p fina i £ G % . 

The inductive step involves showing that if a is an execution fragment of length n = k + 1, 
for some k £ N, then Pfi na i G G{. Let a' be the part of the execution fragment a comprised 
of the first k steps and trajectories. The induction hypothesis involves the assertion that if 
p' final ls ^ e fi na l state °f a ' \ then it is the case that p'e na i G 67;. Since the final state of a is 
reached from the final state of a' by a single step or trajectory, the inductive step involves 
the consideration of all possible steps and trajectories leading from p'c na i to Pfi na i- 
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In the case of a step, we consider all possible discrete actions by cases: 

1. the actions brake(i)j and unbrake(i)j are not enabled because a involves no input 
actions on port j. 

2. the brick-wall(i) action sets the velocity of the vehicle i to zero. Therefore, it 
trivially follows that Pfi na i G G{. 

3. the actions colliding-pair(i', i"), for i' , i" G I,i' j^ i" , and collision-ef f ects(i'"), 
for i"' G I, are not enabled because a is only comprised of states in i? 8 -; recall that 

t^i — ^not-collided' 

4. the actions brake(i')j/, unbrake(i')j/, for i' G I,j' G J,j' j^ j, and brick-wall(i"), 
for i" G I, i" 7^ i, do not affect the velocity of the vehicle i; that is, Pfi na i-Zi = p'fi na i-^i- 
From the induction hypothesis we have that p'e na i G G{ and, therefore, it follows that 

Pfinai G Gi. 

In the case of a trajectory, since the execution fragment a starts in a state in Vi C Pg { and 
the only action that can set the brake-req(i,j) variable to False is not enabled throughout 
a, all states in a are in Pg r ; that is, the vehicle i keeps braking throughout the execution 
fragment a. Therefore, since the vehicle i in state p'c na i is in Gi, i.e., at or below the speed 
limit, and the vehicle i is braking throughout the trajectory from p'c na i to Pfi na i, it trivially 
follows that the velocity of the vehicle i in Pfi na i will be at or below the speed limit; that is, 

Pfinai G Gi. I 

In the following two lemmas, we use Lemma 5.2.1 to show that Vi C very-safe; and Vi C 
delay-safest), for any t G M-°, respectively. 

Lemma 5.2.2 Vi C very-safe;. 

Proof: From the definition of very-safe in Section 3.2.1, we must show that the condition 
futureSVijR.- ) C Gi is satisfied. This follows directly from Lemma 5.2.1. I 

Lemma 5.2.3 For any t G M-°, it is the case that Vi C delay-safest). 

Proof: Follows directly from Lemma 5.2.2 and Lemma 3.2.5, part 1. I 

In the following two lemmas and the subsequent corollary, we show that the sets Wi and 
safe; are equal. First, we show that Wi C safe; and safe; C Wi. Then the fact that 
Wi = safe; follows trivially. 

Lemma 5.2.4 Wi C safe;. 
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Proof: From the definition of safe in Section 3.2.1, we must show that any state p G Wi 
satisfies: (i) /w£wre 8 (p, 0) C Gi, and (ii) there exists some action it such that for every 
p',p" G Ri satisfying p' G future^p, 0) and p' -^ p" , it is the case that p" G very-safe^ 

For the first condition, let a be an execution fragment of the VEHICLES automaton of n 
steps, where n G N, that: starts in a state in Wi, is only comprised of states in Ri, involves 
no input actions on port j, and has a limit time equal to zero. Letting Pi n a and Pfi na i be 
the initial and final states of a, respectively, we must show that Pfi na i G Gi. 

For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of no steps and, therefore, Pfi na i = Pinit- Since Pi n a G Wi, 
it follows that Pfi na i G Gi. 

The inductive step involves showing that if a is an execution fragment of length n = k + 1, 
for some k G N, then Pfi na i G Gi. Let a' be the part of the execution fragment a comprised 
of the first k steps. The induction hypothesis involves the assertion that if p't^ na i is the final 
state of a' , then it is the case that p'g na j G Gi. Since the final state of a is reached from the 
final state of a' by a single step, the inductive step involves the consideration of all possible 
steps leading from p' final to p fina i. 

To complete the induction, we consider all possible discrete actions by cases: 

1. the actions brake(i)j and unbrake(i)j are not enabled because a involves no input 
actions on port j. 

2. the brick-wall(i) action sets the velocity of the vehicle i to zero. Therefore, it 
trivially follows that Pfi na i G Gi. 

3. the actions colliding-pair(i', i"), for i' , i" G I,i' j^ i" , and collision-ef f ects(i'"), 
for i"' G I, are not enabled because a is only comprised of states in i? 8 -; recall that 

t^i — ^not-collided' 

4. the actions brake(i')j/, unbrake(i')j/, for i' G I,j' G J,j' j^ j, and brick-wall(i"), 
for i" G I, i" 7^ i, do not affect the velocity of the vehicle i; that is, Pfi na i-Zi = p'fi na i-^i- 
However, from the induction hypothesis, it is the case that p'e na i G Gi. Therefore, it 
trivially follows that Pfi na i G Gi. 

For the second condition, consider the action it = brake(i)j. The effect of this action is 
to set the internal variable brake-req(i,j) to True. Therefore, it is the case that p" G Pb % ■ 
From the proof of the first condition, it is the case that p' G Gi, and since the brake(i)j 
action does not affect the velocity of the vehicle i, it is also the case that p" G Gi. From the 
above conditions and the fact that p" G Ri, it follows that p" G Vi- Finally, Lemma 5.2.2 
implies that p" G very-safe^ as needed. I 

Lemma 5.2.5 sa/e 8 C Wi. 
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Proof: From Lemma 3.2.4, part 1, and the definition of safe in Section 3.2.1, it is the case 
that safe i C G{ and safe i C i? 8 -, respectively. It trivially follows that safe i C W{. I 

Corollary 5.2.6 W % = safe t . 

Proof: Follows directly from Lemmas 5.2.4 and 5.2.5. I 

In the next three lemmas, we show that any state p in the set T 8 - is in the set delay-safe^d); 
that is, any state i? 8 -reachable from p within an amount of time d through an execution 
fragment that involves no input actions on port j, is in the set G{ and any state i? 8 -reachable 
from the state p in exactly an amount of time d through an execution fragment that involves 
no input actions on port j, is in the set safe;. 

Lemma 5.2.7 future^Ti, [0, d]) C G{. 

Proof: Let a be an execution fragment of the VEHICLES automaton of n steps and trajec- 
tories, where n G N, that: starts in a state in T 8 -, is only comprised of states in i? 8 -, involves 
no input actions on port j, and has a limit time t that lies in the interval [0, d]. Letting Pi n it 
and Pfi n ai be the initial and final states of a, respectively, we must show that Pfi na i G G{. 

We use induction on the length n of the execution fragment a and the assertion Pfi na l- X i < 
Pinii-Xi + tc max to show that p fina i G G t . 

For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and, therefore, Pfi na i = Pinit 
and Pfinai-ii = Pinit.Xi. Moreover, since t = 0, it is the case that tc max = 0. It trivially 

follows that Pfinal.Xi < Pinif.Xi + tc max . 

The inductive step involves showing that if a is an execution fragment of length n = k + 1, for 
some k G N, then Pfi na l- X i < Pi n it- X i + tc max . Let a' be the part of the execution fragment 
a comprised of the first k steps and trajectories. The induction hypothesis involves the 
assertion that if p' n8t and p'u na i are the initial and final states of a 1 , respectively, and 
t' G [0,i] is the limit time of a', then it is the case that p'fi na j-Xi < p' inii .Xi + t'c max . Since 
the final state of a is reached from the final state of a' by a single step or trajectory, the 
inductive step involves the consideration of all possible steps and trajectories leading from 

Pfinai to Pfi**i- 

In the case of a step, keeping in mind that the limit times of a' and a are equal, i.e., t' = t, 

we consider all possible discrete actions by cases: 

1. the actions brake(i)j and unbrake(i)j are not enabled because a involves no input 
actions on port j. 
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2. the brick-wall(i) action sets the velocity of the vehicle i to zero and since all ve- 
hicle velocities are restricted to be non-negative, it follows that Pfi na i-Xi < Pfinal-^i- 
Moreover, from the induction hypothesis, we have p'g na j-Xi < p' init .Xi + t'c max . Since 
Pinit = p'init and t = t', it follows that Pfi na i-i t < p vm t-x % + tc max . 

3. the actions colliding-pair(i', i"), for i' , i" G I,i' j^ i" , and collision-ef f ects(i'"), 
for i"' G I, are not enabled because a is only comprised of states in Rf, recall that 

t^i — ^not- collided' 

4. the actions brake(i')j/, unbrake(i')j/, for i' G I,j' G J,j' j^ j, and brick-wall(i"), 
for i" G I, i" 7^ i, do not affect the velocity of the vehicle i; that is, Pfi na i-Xi = p'a na i-^i- 
Moreover, from the induction hypothesis we have p'g na j-Xi < p' init .Xi + t'c max . Since 

Pinit = Pratt and * = *'> ll follows that Pfi na l-X t < p vm t-X% + tc max . 

In the case of a trajectory, since the change in velocity is equal to the integral of the 
acceleration and the acceleration is bounded from above by the quantity c max , it is the case 
that Pfinai-ii < p'fi na i-%i + (t — t')c max . Moreover, from the induction hypothesis we have 
Pfinal-Xi < P'init-Xi + t'cmax- Since p mit = p' mit , it follows that pfinai.ii < p mit .x t + tc max . This 
result completes the induction. 

Since Pi n a G Ti, it is the case that Pi n u-Xi < c max — dc max . Moreover, from the above 
induction we have Pfi na i-i t < p vm t-x% + tc max . Therefore, Pfi na i-i t < c max - (d - t)c max , and 
since d — t > and c max > 0, it follows that Pfi na i-Xi < c max ; that is, Pfi na i G Gi, as needed. I 

Lemma 5.2.8 future^Ti , 0) C T 8 -. 

Proof: From Lemma 5.2.4 and the definition of T 8 - it is the case that T 8 - C safe^ Therefore, 
from Lemma 3.2.4, part 2, it follows that /w£wre 8 (T 8 , 0) C safe^ Moreover, Lemma 5.2.5 
implies that /w£wre 8 (T 8 , 0) C W{. It remains to be shown that for all p,p' G Ri such that 
p G Ti and p' G future^p, 0), it is the case that p'.ii < c max — dc max . 

Because of the non-negative constraint on the vehicle velocities, the only discrete action 
that could potentially increase the velocity of the vehicle i is the collision-eff ects(i) 
action. However, the collision-eff ects(i) action is not enabled because the function 
future ^p^Gi) only considers i? 8 -reachable states. If follows that p'.ii < p.X{. Moreover, since 
p G Ti, it is the case that p.X{ < c max — dc max . It trivially follows that p'.ii < c max — dc max , 
as needed. I 

Lemma 5.2.9 Ti C delay- safe^d). 

Proof: We must show that future^Ti, [0, d]) C Gi and future^Ti, d) C safe^ The first condi- 
tion follows directly from Lemma 5.2.7. For the second condition, from Lemma 3.2.1, part 1, 
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we have that future^Ti, d) C future^Ti, [0, d]). Therefore, from Lemma 5.2.7 it follows that 
future^Ti^d) C G{. Moreover, since future^Ti^d) restricts the reachable states to the set 
Ri, it is the case that future^Ti^d) C _R,. Therefore, it is the case that future^Ti^d) C W{ 
and from Lemma 5.2.4 it follows that future^Ti^d) C safe^ as needed. I 

In the following lemma, we show that the OS-PROT-SOLO; protector implements the protec- 
tor Abs(vEEiciES,Si,Ri,Gi,j,d). Since the protector automata os-prot-solo; and Abs 3 
involve the composition of the same sensor automaton with distinct controller automata, 
it suffices to show that the discrete controller automaton of the protector OS-PROT-SOLO; 
implements the discrete controller automaton Z)(7(vehicles, Si, Ri, Gi, j, d). 

Lemma 5.2.10 os-prot-solo; < Abs(vEEiCLES, Si, Ri,Gi,j,d). 

Proof: As noted above, both the OS-PROT-SOLO; and the Absj protectors involve the com- 
position of the same sensor automaton with distinct controller automata. From Theo- 
rem 2.7 .4, it suffices to show that the discrete controller automaton of OS-PROT-SOLO; 
implements DC j. This is shown by a simulation from the discrete controller automaton of 
OS-PROT-SOLO; to DCj. 

The mapping between the states of the discrete controller automaton of OS-PROT-SOLO; 
and DCj is almost the identity. In the discrete controller automaton of OS-PROT-SOLO;, 
the variable sendj is equal to either one of the labels brake and unbrake, or the value null. 
In the abstract discrete controller automaton, these valuations simply map to either the 
actions brake(i)j and unbrake(i)j, or the value null, respectively. 

The start states for the discrete controller automaton of OS-PROT-SOLO; and DCj are the 
states in which sendj = null. These are mapped to each other according to the mapping 
discussed above. 

Furthermore, since the trajectories in both discrete controller automata are identical, we 
need only consider their discrete transitions. We analyze the actions of the implementation 
by cases, letting p denote any complete state of the VEHICLES automaton that corresponds 
to y, i.e., p £ VALID and p|Tvehicles = V- 

1. The snapshot(y)j action of the implementation sets sendj to brake, or unbrake. In 
order to show that the behavior of the implementation is allowed by the specification, 
we must show that the input action snapshot(y)j of the implementation sets the 
value of the sendj variable in such a way that the subsequently enabled action it of 
the implementation (i) guarantees that for all p',p" £ Ri such that p' £ future^pjO) 
and p' -^ p" , it is the case that p" £ delay-safe^d), if p £ safe^ and (ii) is an arbitrary 
output action of the implementation, otherwise. 

First, consider the case in which p £ safe^ Since Corollary 5.2.6 implies that p £ Wi, 
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the discrete controller automaton of OS-PROT-SOLO; sets the variable sendj according 
to whether the state p is in T 8 -, or not. 

On one hand, if p £" T 8 - then the discrete controller automaton of OS-PROT-SOLO; 
sets the variable sendj to brake and the brake(i)j action is enabled. However, since 
p £ safe;, Lemma 3.2.4, part 2, implies that p' £ safe i and from Corollary 5.2.6 it 
follows that p' £ W{. Moreover, since the brake(i)j action sets the brake-req(i,j) 
variable to True and affects neither the velocity of any of the vehicles, nor any of the 
collided variables, it is the case that p" £ R{ P\ G{ V\ Pb, , i-e-, p" £ V{. Finally, from 
Lemma 5.2.3, it follows that p" £ delay- safe^d), as needed. 

On the other hand, if p £ T 8 - then the discrete controller automaton of OS-PROT-SOLO; 
sets the variable sendj to unbrake and the unbrake(i)j action is enabled. From 
Lemma 5.2.8, it follows that p' £ T 8 -. Moreover, since the unbrake(i)j action sets the 
brake-req(i,j) variable to False and affects neither the velocity of the vehicle i, nor 
any of the collided variables, it is the case that p" £ T 8 -. Finally, from Lemma 5.2.9, it 
follows that p" £ delay-safe^d), as needed. 

Next, consider the case in which p £" safe^ In this case, the snapshot(y)j action of 
the discrete controller automaton of OS-PROT-SOLO; sets the variable sendj to either 
brake or unbrake and, subsequently, enables either the action brake(i)j or the action 
unbrake(i)j. However, when p £" safe^ the DC j automaton sets the variable sendj 
arbitrarily and, subsequently, enables an arbitrary output action. Therefore, the 
behavior of the discrete controller automaton of OS-PROT-SOLO; is allowed by that of 
the DC j automaton. 

Therefore, the effects of the snapshot(y)j action of the implementation are allowed 
by its specification. 

2. The brake(i)j and unbrake(i)j actions have identical effects in both discrete controller 
automata. When the sendj variable matches the labels brake and unbrake, or the 
actions brake(i)j and unbrake(i)j, the respective action is performed and the sendj 
variable is set to the value null in both discrete controller automata. 

3. The environment action in both discrete controller automata is stuttering. It fol- 
lows that the mapping between the states of the discrete controller automaton of 
os-PROT-SOL0 8 ' and the DC j automaton prior to and succeeding the execution of the 
environment action remains the same. 



Corollary 5.2.11 The protector OS-PROT-SOLO; guarantees G{ in the VEHICLES automa- 
ton starting from Si given R{. 

Proof: Follows directly from Lemma 5.2.10 and Theorem 3.2.9. H 
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Table 5.2 Formal definitions of OS-PROT, Gos-prot, ^os-prot, an d Re 
OS-PROT = TT OS-PROT-SOLO; 

iei 



t^os-PROT — tri 

iei 



'JOS-PROT — I \ Ji 

iei 



-ftos-PROT — Pnot-collided 



5.3 Protection System OS-PROT 

We now define the overspeed protector OS-PROT. As in the vehicle-wise case, we restrict 
the states of the VEHICLES automaton to the set P n ot-collided as defined in Section 4.2, i.e., 
-Ros-prot = Pnot-collided- Let Gos-prot and ^os-prot be the intersection of the sets G % and Si, 
for all i £ I, respectively, and OS-PROT be the composition of the protectors OS-PROT-SOLO;, 
for ah i G I. The protector OS-PROT guarantees that the VEHICLES automaton remains 
within Gos-prot starting from ^os-prot given i? Q s-PROT- For reference, The formal definition 
of the OS-PROT automaton and of the sets G s-prot 5 ^os-prot, an d i? Q s-PROT are shown in 
Table 5.2. 

Corollary 5.3.1 The protector OS-PROT guarantees Gos-prot in the VEHICLES automaton 
starting from ^os-prot given R os . PROT . 

Proof: Follows directly from Corollary 5.2.11 and Theorem 3.1.4. I 
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Chapter 6 

Example 2: 

Collision Avoidance on a Single 

Track 



This chapter is similar to Chapter 5; instead of an overspeed protector, here we present 
a collision protector for the VEHICLES automaton. We define the protector CL-PROT that 
guarantees that none of the vehicles collide, provided that they are all abiding by the 
speed limit. The CL-PROT protector is defined as the composition of n separate copies 
of another protector called CL-PROT-SOLO;, one copy for each vehicle i £ I. Each of the 
CL-PROT-SOL0 8 ' protectors, for i £ /, is an implementation of a particular instantiation of 
the abstract protector automaton of Section 3.2 and guarantees that the vehicle i does not 
collide into any of the vehicles it trails. 

6.1 Protection System cl-prot-solOj- 

The CL-PROT-SOL0 8 ' automata are vehicle-wise collision protectors and individually guar- 
antee that the vehicle i does not collide into any of the vehicles it trails, provided that all 
vehicles are abiding by the speed limit and that all other vehicles i' £ /, i' ^ i, do not collide 
into any of the vehicles they respectively trail. Each of the CL-PROT-SOLO; protectors, for 
i £ I, is an implementation of the abstract protector of Section 3.2 specialized to particular 
definitions of the parameters PP, S , R, 67, j, and d. 

The physical plant automaton, PP, is defined to be the VEHICLES automaton of Figure 4.1. 
The port j and the sampling period d are defined to be the port and sampling period with 
which the protector cl-prot-solo 8 - communicates with the VEHICLES automaton and are 
assumed arbitrary. The set of "good" states G is defined to be the set of states in which the 
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vehicle i has not collided into any of the other vehicles, i.e., G = VALID— P co nided(i)- I n this 
chapter, we use the notation Gi to refer to this definition of the set G. The set R is defined 
to be the set R = P no t- verspeed fl ( D i> p I i'^i ^ 8 ' ) ' This definition restricts the states of the 
VEHICLES automaton to states in which all of the vehicles are abiding by the speed limit 
and in which each of the remaining vehicles has never collided into any other vehicle. The 
set of states S is defined to be the set safe defined in Section 3.2.1; that is, the set of states 
of the PP automaton for which a single input action of PP on port j can guarantee that, 
provided no new input actions on port j are allowed, all subsequently i?-reachable states 
will be in G. Once again, the definition of the set safe is specialized to the above definitions 
of the automaton PP, the sets R and G, and the port j. In this chapter, we use the notation 
Ri and Si to refer to the above definitions of the sets R and S . 

The CL-PROT-SOL0 8 ' protector automaton is an implementation of the abstract protector 
automaton Abs(vEElCLES, Si,Ri,Gi,j,d). More precisely, as is the case for the abstract 
protector Absj, we define the CL-PROT-SOLO; automaton to be the composition of a sensor 
and a discrete controller automaton. These automata are implementations of their abstract 
equivalents of Figures 3.2 and 3.3, specialized however, to the above definitions of the 
parameters PP, S , R, G, j, and d. The sensor automaton is precisely the specialization of 
the sensor automaton of Figure 3.2 to the above definitions of the parameters PP, etc. The 
discrete controller automaton is defined in Figure 6.1. 

The braking strategy of the CL-PROT-SOLO; protector is as follows. The protector instructs 
the vehicle i to brake if it has a d time unit claim overlap with any of the vehicles it 
trails; that is, the protector instructs the vehicle i to brake if there exists a vehicle i', for 
i' £ I, i' zfz i 5 such that the sections of the track claimed by the vehicles i and i' in time d 
overlap and X{ < x^. The rationale behind this braking strategy is that a collision between 
two vehicles in the VEHICLES automaton can only be prevented by instructing the trailing 
vehicle to brake. 

It is important to note that the abstract protector automaton j 46s(vehicles, Si, Ri, Gi,j, d) 
complies with the assumptions made about the abstract protector in Section 3.2.1. In partic- 
ular, since the vehicle position variables, the vehicle velocity variables, and the collided vari- 
ables are output variables of the VEHICLES automaton, the set safe is YvEHicLEs-determinable 
and actions that guarantee safety can be determined from the output variables ^vehicles of 
the VEHICLES automaton (Axioms 3.2.4 and 3.2.5, respectively). Moreover, the sets Ri and 
Gi are YvEHicLEs-determinable (Axioms 3.2.6 and 3.2.7, respectively) and the set of start 
states Si is a subset of the set safe (Axiom 3.2.8), since Si is defined to be the set safe. 

In Section 3.1 it was shown that the abstract protector Absj guarantees that the physical 
plant PP remains within G starting from S given R. Similarly, the CL-PROT-SOLO; automa- 
ton guarantees that the VEHICLES automaton remains within Gi starting from Si given Ri. 
This is shown in the following section. 
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Figure 6.1 Discrete controller automaton for the protector CL-PROT-SOLO; 

Actions: Input: e, the environment action (stuttering) 

snapshot(y)j, for each valuation y of ^vehicles 
Output: brake(i)j 

unbrake(i)j 

Variables: Internal: sendj G {brake, unbrake, null}, initially null 

Discrete Transitions: 

snapshot(y)j 

Eff: if 3i' el,i'^i such that 

y (j£ disjoint-claimed-tracks(i, i' , d) A (y.Xi < y-x^) 
then 

sendj := brake 
else 



send;, := unbrake 



brakeu) 



Pre: sendj = brake 
Eff: send; := null 



unbrake(i)j 

Pre: sendj = unbrake 
Eff: send; := null 



Trajectories: 



w. sendj = null 



6.2 Correctness of cl-prot-solOj- 

The main result to be shown is that CL-PROT-SOLO; < Abs(vEElCLES, Si,Ri,Gi,j,d). Since 
both cl-prot-solOj- and j 46s(vehicles, Si, Ri, Gi,j, d) involve the composition of the same 
sensor automaton with distinct discrete controller automata, Theorem 2.7.4 applies. There- 
fore, it suffices to show that the discrete controller automaton of CL-PROT-SOLO; of Fig- 
ure 6.1 implements the discrete controller automaton DC(veeicles, Si, Ri,Gi,j,d) of Fig- 
ure 3.3. According to Theorem 2.6.1, this follows by showing that there exists a simulation 
relation between the states of the discrete controller automaton of CL-PROT-SOLO; and the 
discrete controller automaton DC(veeicles, Si, Ri,Gi,j,d). We first give some useful set 
definitions, then prove some lemmas, and finally show the existence of such a simulation 
relation. The correctness proof follows the steps of the correctness proof of Section 5.2. 

In this section, we use the notation future^ safe;, very-safe;, and delay-safe; to denote the 
specialization of the function future, the sets safe and very-safe, and the function delay-safe, 
which are defined in Section 3.2.1, to the automaton VEHICLES, the sets Ri and Gi, and 
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Table 6.1 Sets used in the correctness proof of CL-PROT-SOLO;. 

Wi C VALID, for i £ I, denned by 

W; = {p £ i?i n G 8 - | J i' £ 7, i' ^ i : p.O { p.Oi- /|A p.x { < p.x { ,} 

V C V4Z/D, for i £ I, defined by 

^ = Wi n p Bii 

Ii(t) C VALID, for i £ I, and t £ M^°, defined by 

Ti(t) = {p& Ri C\Gi\ $ i' £ I, i' ^ i : p.Ci(t)np.Ci,(t) /|A p. Xi < p.x v } 



the port j of the cl-prot-solo 8 - protector. Moreover, since the environment action of 
the VEHICLES automaton is stuttering, its consideration is omitted in all inductive proofs 
involving the PP automaton. 

We proceed by defining several sets that are used in the correctness proof of the protector 
cl-prot-solo 8 '. For reference, their formal definitions appear in Table 6.1. 

Let Wi be the subset of Ri n G i comprised of the states in which the section of the track 
owned by the vehicle i does not overlap the section of track owned by any of the vehicles 
it trails; that is, for every state p in Wi, p £ Ri fl £7; and there does not exist i' £ I,i' ^ i 
such that p.Oi P\ p.Oi* ^ and p.Xi < p.Xii. 

Let V~i be the subset of Wi comprised of the states in which the protector j is requesting 
the vehicle i to brake; that is, V~i = Wi P\ Pb % ■ 

Let Ti(t), where t £ M- , be the subset of Ri f] G{ comprised of the states in which the 
section of the track claimed in time t by the vehicle i does not overlap the section of the 
track claimed in time t by any of the vehicles it trails; that is, for every state p in Ti(t), 
p £ Ri fl Gi and there does not exist i' £ I,i' ^ i such that p.Ci(t) P\ p.Ci>(t) ^ and 

p.Xi < p.Xii. 

Lemma 6.2.1 For all t,t' £ R-°, t < t' , the following hold: 

1. Ti(t) C Wi C Gi. 

2. V t C Wi C Gi. 

3. Ti(t') C Ti(t). 

4. r,-(o) = Wi. 



78 



Proof: Follow directly from the definitions of the sets G{, Wi, and T;(r), where r £ M- , 
and Lemma 4.4.2. I 

In the following three lemmas, we show that any state i? 8 -reachable from a state in Vi 
through an execution fragment that involves no input actions on port j, is in Vi. In the 
first lemma, we show that if the final state of such an execution fragment is in Gi and the 
section of track owned by the vehicle i has not grown since the beginning of the execution 
fragment, then the final state of the execution fragment is in Vi. In the second lemma, we 
show that the final state of any such execution fragment is in Gi and the section of track 
owned by the vehicle i does not grow throughout the execution fragment. Finally, the third 
lemma combines these two results and states formally the desired property. 

Lemma 6.2.2 Letp £ Vi and p' £ future^ p,¥L- ). If p 1 £ Gi andp'.Oi C p.Oi then p' £ Vi. 

Proof: We need to show that p' £ Ri n Gi P\ Pb % and that there does not exist i' £ I,i' ^ i 
such that p'.Oi P\p'.Oi> j^ and p'.Xi < p'.Xi*. We consider these conditions by cases: 

1. p' £ Ri. 

This is the case because the function future ^(p, R.- ) only considers i? 8 -reachable states. 

2. p' £ Gi. 

This is true by assumption. 

3. p 1 eP Bl3 . 

Since p £ Pg { , it is the case that p.brake-req(i,j) = True. Moreover, the brake-req(i,j) 
variable can only be set to False by an unbrake(i)j action — an action not allowed 
by the function future^ p,¥L-°). Therefore, it follows that p' £ Pg r , as needed. 

4. $ i' £ /, i' ^ i, such that p'.Oi p'-O^ ^ and p'.Xi < p'.Xi'. 

Because p £ Vi we have that for all i' £ I,i' ^ i such that p.Xi < p.Xii it is the 
case that p.Oi P\ p.Oi' = 0; that is, for all i' £ I,i' ^ i such that p.Xi < p.x^ it 
is the case that max(p.0 8 ) < min(p.0 8 /). However, by assumption it is the case 
that p'.Oi C p.Oi. Therefore, since the vehicle velocities are restricted to be non- 
negative, it follows that for all i' £ I,i' ^ i such that p'.Xi < p'-x^ it is the case that 
max(p'.Oj-) < min(p'.Oj-/). This is sufficient to guarantee that there does not exist 
i' £ /, i' zfz i such that p'.Oi P\ p ' .Oi< ^ and p'.Xi < p'.Xii. 



Lemma 6.2.3 For all p £ Vi, if p' £ future^p, M.-), then p' £ Gi and p'.Oi C p.Oi 
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Proof: Let a be an execution fragment of the VEHICLES automaton of n steps and trajec- 
tories, where n G N, that: starts in a state in Vi, is only comprised of states in Rj, and 
involves no input actions on port j. Letting Pi n a and Pfi na i be the initial and final states 
of a, respectively, we must show that Pfi na i G G; and Pfi na i-Oi C Pi n a.Oi. The proof is by 
induction on the length n of the execution fragment a. 

For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and, therefore, Pfi na i = Pinit- 
From Lemma 6.2.1, part 2, and the fact that Pi n a G Vi, it follows that Pfi na i G Gi. Moreover, 
the fact that Pfi na i-Oi C Pi n a.Oi is trivially true. 

The inductive step involves showing that if a is an execution fragment of length n = k + 1, 
for some k G N, then Pfi na i G 67; and Pfi na i-Oi C Pi n a.Oi. Let a' be the part of the execution 
fragment a comprised of the first k steps and trajectories. The induction hypothesis involves 
the assertion that if p' n8t and p'u na i are the initial and final states of a', respectively, then 
it is the case that p'g na j G Gi and p'g na j-Oi C p' init .Oi. Moreover, from Lemma 6.2.2 it follows 
that p'fi na i G Vi. Since the final state of a is reached from the final state of a' by a single 
step or trajectory, the inductive step involves the consideration of all possible steps and 
trajectories leading from p' final to p fina i. 

In the case of a step, we consider all possible discrete actions by cases: 

1. the actions brake(i)j and unbrake(i)j are not enabled because a involves no input 
actions on port j. 

2. the brick-wall(i) action sets the velocity of the vehicle i to zero and does not affect 
the variables collided(i, i'), for i' G I,i' j^ i. 

From the induction hypothesis, it is the case that p'c na i G Gi. Therefore, since the 
internal action brick-wall(i) does not affect the variables collided(i, i'), for i' G I,i' j^ 
i, it follows that Pfi na i G Gi. 

Moreover, since the vehicle velocities are restricted to be non-negative, it is the case 
that pfinai.ii < p' final .Xi. From Lemma 4.4.3, part 1, it follows that Pfi na i-O t C p' fina ,.O t . 
However, from the induction hypothesis it is the case that p'g na j-Oi C p' init .Oi. There- 
fore, since p init = p' mit , it follows that Pfi na i-O t C p tmt .O t , as needed. 

3. the actions brake(i')j/, unbrake(i')j/, for i' G I,j' G J,j' j^ j, and brick-wall(i"), 
for i" G I,i" 7^ i, affect neither the velocity of the vehicle i, nor the variables 
collided{i, i'"), for i'" G /, i'" ^ i. 

From the induction hypothesis, it is the case that p'e na i G Gi. Therefore, since the 
actions brake(i')j/, unbrake(i')j/, for i' G I,j' G J,j' j^ j, and brick-wall(i"), for 
i" G I,i" 7^ i, do not affect the variables collided(i,i" r ), for i"' G I,i"' j^ i, it follows 

that pfi na l G Gi. 
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Moreover, since the input actions brake(i')j/, unbrake(i')j/, for i' G I,j' G J,j' j^ j, 
and the internal actions brick-wall(i"), for i" G I, i" j^ i, do not affect the velocity of 
the vehicle i, it is the case that Pfi na l-ii = p'fi na i-^i- From Lemma 4.4.3, part f , it follows 
that Pfi n ai-Oi C p'fi na i-Oi. However, from the induction hypothesis it is the case that 
P final- i ^ P'lmf *- Therefore, since p mit = p' init , it follows that p fin al-O t C p init .Oi, as 
needed. 

4. the actions colliding-pair(i', i"), for i' , i" G I,i' j^ i" , and collision-ef f ects(i'"), 
for i"' G I, are not enabled because a is only comprised of states in Ri and p'c na i G V{- 

In the case of a trajectory, since p' G V{ and Vi C Pg { , Lemma AAA, part 1, implies that 
Pfinal-Oi C p'fi na j-Oi. However, from the induction hypothesis it is the case that p'g na j-Oi C 
P'init-Oi- Therefore, since p m!i = p' miV it follows that Pfi na l-O t C p im t-O t . Moreover, since 
p'fl na ; G G; and the variables collided(i , i') , for all i' G /, i' j^ i, remain constant throughout 
the trajectory, it follows that Pfi na l & Gi, as needed. I 

Lemma 6.2.4 future t (V^R^°) C V % . 

Proof: Follows directly from Lemmas 6.2.2 and 6.2.3. I 

In the following two lemmas, we use Lemma 6.2.4 to show that Vi C very-safe; and Vi C 
delay-safest), for any t G M-°, respectively. 

Lemma 6.2.5 Vi C very-safe;. 

Proof: From the definition of very-safe in Section 3.2.1, we must show that the condition 
future 8 -(T^',]R- ) C Gr 8 - is satisfied. This follows directly from Lemma 6.2.4 and Lemma 6.2.1, 
part 2. I 



Lemma 6.2.6 For any t G K.- , it is the case that Vi C delay-safest). 

Proof: Follows directly from Lemma 6.2.5 and Lemma 3.2.5, part 1. I 

In the next three lemmas and the subsequent corollary, we show that the sets Wi and safe; 
are equal. First, we show that any state that is i? 8 -reachable from a state p in Wi through 
an execution fragment that involves no input actions on port j and has a limit time equal 
to zero, is in the set Wi. Then, we show that Wi C safe; and safe; C Wi. Finally, the 
subsequent corollary states that Wi = safe;. 

Lemma 6.2.7 future t (W l ,0) C W % . 
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Proof: Let a be an execution fragment of the VEHICLES automaton of n steps, where n G N, 
that: starts in a state in Wi, is only comprised of states in Rj, involves no input actions on 
port j, and has a limit time equal to zero. Moreover, let Pi n a and Pfi na i be the initial and 
final states of a, respectively. By induction on the length n of the execution fragment a, 
we show that Pfi na i G Wi. 

For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of no steps and, therefore, Pfi na i = Pinit- Since Pi n a G Wi, 
it follows that Pfi na i G Wi. 

The inductive step involves showing that if a is an execution fragment of length n = k + 1, 
for some k G N, then Pfi na i G Wi. Let a' be the part of the execution fragment a comprised 
of the first k steps. The induction hypothesis involves the assertion that if p't ina i is the final 
state of a' , then it is the case that p'g na j G Wi. Since the final state of a is reached from the 
final state of a' by a single step, the inductive step involves the consideration of all possible 
steps leading from p' find to p fina i. 

To complete the induction, we consider all possible discrete actions by cases: 

1. the actions brake(i)j and unbrake(i)j are not enabled because a involves no input 
actions on port j. 

2. the actions brake(i')j/, unbrake(i')j/, for i' G I,j' G J,j' j^ j, affect neither the 
velocity of any of the vehicles, nor the variables collided(i, i"), for i" G I, i" j^ i. 

From the induction hypothesis, it is the case that p'c na i G Wi. Since the actions 
brake(i')j/, unbrake(i')j/, for i' G I,j' G J,j' j^ j, do not affect the variables 
collided(i, i"), for i" G I, i" j^ i, it follows that Pfi na i G G{. 

Moreover, the actions brake(i')j/ and unbrake(i')j/, for i' G I,j' G J,j' j^ j, do not 
affect the velocity of any of the vehicles, i.e., Pfi na i-Zi" = p'fi na i-^i"^ f° r a ^ *" ^ I- From 
Lemma 4.4.3, part 1, it follows that the section of the track owned by each of the 
vehicles does not grow, i.e., Pfi na i.O t » C p' final .Oi", for all i" G /. Since p' final G W % , the 
sections of track owned in state p'c na i by the vehicle i does not overlap the sections of 
track owned by any of the vehicles it trails. From above however, Pfi na l-Oi" C p'g na j-Oi", 
for all i" G I, and, therefore, the same applies for the state Pfi na i- 

Finally, since all states in a are, by definition, restricted to the set Ri, it follows that 

Pfinai G Wi. 

3. the brick-wall(i') actions, for i' G I, set the velocity of the vehicle i' to zero and 
affect neither the variables collided(i , i") , for i" G I,i" j^ i, nor the velocity of any of 
the other vehicles, i.e., Pfi na i-Zi'" = Pfinal-^i'"' ^ or a ^ *'" ^ I,i'" 7^ i' '■ 

Without loss of generality, consider a particular brick-wall(i') action, for some i' G /. 
From the induction hypothesis, it is the case that p'e na i G Wi. Since the brick-wall(i') 
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action does not affect the variabies collided(i , i") , for i" G I,i" ^ i, it foiiows that 

P final € Gi- 

The brick-wall(i') action sets the veiocity of the vehicle i' to zero. Therefore, since 
the vehicle velocities are restricted to be non-negative, it is the case that Pfi na i-Zi' < 
P'final-^i'- From Lemma 4.4.3, part 1, it follows that Pfi na i-Oi> C p' K na \-0 i* . Moreover, 
since the brick-wall(i') action does not affect the velocity of any of the other vehicles, 
it is the case that Pfi na i-Zi" = Pfinal-^i"' ^ or a ^ *" ^ ^ *" ^ *'• Again, from Lemma 4.4.3, 
part 1, it follows that the section of the track owned by any of the vehicles other than 
i' does not grow, i.e., Pfi na i-O t » C p' final -O t », for all i" G I,i" ^ i' . 

Since p'g na j G Wi, the sections of track owned in state p'g na j by the vehicle i does 
not overlap the sections of track owned by any of the vehicles it trails. From above 
however, Pfinal-Oi" C p'g na j-Oin, for all i" G I, and, therefore, the same applies for the 

State Pfi na \. 

Finally, since all states in a are, by definition, restricted to the set Ri, it follows that 

P final e Wi. 

4. the actions colliding-pair(i', i"), for i' , i" G I,i' j^ i" , and collision-ef f ects(i'"), 
for i"' G I, are not enabled because a is only comprised of states in Ri and p'c na i G W{. 



Lemma 6.2.8 W t C safe t . 

Proof: From the definition of safe in Section 3.2.1, we must show that any state p G Wi 
satisfies: (i) future^p^O) C Gi, and (ii) there exists some action it such that for every 
p',p" G Ri satisfying p' G future^p, 0) and p' -^ p" , it is the case that p" G very-safe^ 

(i) The first condition follows from Lemma 6.2.7, Lemma 6.2.1, part 1, and the fact that 

p e Wi. 

(ii) For the second condition, consider the state p" that follows from p' after a brake(i)j 
action is executed, i.e., let it = brake(i)j. Since the brake(i)j action does not affect the 
velocity of the vehicle i, it is the case that p".Oi = p'.Oi. However, from Lemma 6.2.7 and 
the fact that p G Wi it follows that p' G Wi. Since (i) p' G Wi, (ii) the execution fragment 
a is restricted to the set Ri, and (iii) the brake(i)j action affects neither the variables 
collided(i , i') , for i' G I,i' j^ i, nor the velocity of any of the vehicles (and, therefore, nor 
the section of the track owned by any of the vehicles), it follows that p" G Wi. Moreover, 
since p" follows from p' after a brake(i)j action, it is the case that p" G Pb % ■ From the 
above conditions, it follows that p" G Vi- Finally, Lemma 6.2.5 implies that p" G very-safe;, 
as needed. I 

Lemma 6.2.9 For any p G Ri, if p G safe; then p G Wi. 
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Proof: We show the contrapositive; that is, for any p G Ri, if p G - W{ then p G - safe;. Since 
Wi = {p G Ri nG, $ i' e I,i' ^ i : p.Oi n p. 0i< 7^ A p.z; < p.z,-/} and p G i? 8 , we 
consider the condition p G - G; and the condition that there exists i' G I,i' 7^ i, such that 
p.Oi fl p. Oil 7^ and p.Xi < p.a:,-/. 

1. P $ Gi. 

From Lemma 3.2.4, part 1, it is the case that safe i C Gi. Since p G - Gi, it follows that 
P & safei. 

2. 3 i' G i", i' 7^ i, such that p.Oi P\ p.Oi' 7= and p.Xi < p. a:,/. 

Without loss of generality, let i' G I,i' 7= i, be the vehicle that satisfies the conditions 
p.Oi fl p.0 8 ' 7= and p.Xi < p. a:,/. Since p G VALID, it is the case that the vehicles in 
state p have no positive length extent overlap and, therefore, there is only one vehicle 
i', for i' G I,i' 7= i, satisfying the conditions p.Oi P\ p.Oi' 7^ and p.Xi < p.a; 8 /. 

We must show that p G - sa/e,-. However, p G sa/e 8 - implies that there exists some 
input action it on port j such that for every p',p" G -R; satisfying p' G future^pjO) 
and p' -?-+p", it is the case that p" G very-safe;. Therefore, it suffices to show that 
for any input action it on port j, there exist p',p" G Ri satisfying p' G future ^p^Gi) 
and p' ^-f p" , such that p" G^ very-safe^. We consider each input action 7r on port j 
separately. 

(a) 7r = brake(i)j. 

Consider the state p' G Ri that is reached from the state p through the execution 
of the action brick-wall(i') and satisfies the condition p'.Xii = 0; that is, p' G Ri 
such that p'.iii = and p' .x\i = 0. 

Since the actions brick-wall(i') and brake(i)j affect neither the position, nor 
the velocity of the vehicle i, it is the case that p".Xi = p'.Xi = p.Xi and p".ii = 
p'.ii = p.ii. Therefore, since the section of track owned by the vehicle i depends 
only on the position and the velocity of the vehicle i, it is the case that p".Oi = 
p'.Oi = p.Oi. Similarly, since the brick-wall(i') action does not affect the 
position of the vehicle i' but sets its velocity to zero and the brake(i)j action 
affects neither the position, nor the velocity of the vehicle i', it follows that 
p" .Xii = p'.Xii = p.Xii and p".i 8 / = p'.i 8 ' = 0. Therefore, since p.Oi P\ p.Oi' 7^ 0, 
p" .Oi = p.Oi, and p".Xii = p.Xii, it is the case that p".Xii G p".Oi. 
Now, consider the evolution of the VEHICLES automaton following the state p" 
in which the vehicle i' remains stationary. Since p".Xii G p" .Oi, it follows that 
at some state of such an evolution the action colliding-pair(i, i') is enabled 
and, subsequently, executed. The state of the VEHICLES automaton following the 
execution of the action colliding-pair(i, i') would, therefore, not be in Gi. It 
follows that p" (j£ very-safe; which implies that p (j£ safe;. 
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(b) 7r = unbrake(i)j. 

Consider the state p' G Ri that is reached from the state p through the execution 
of the actions brick-wall(i') and unbrake(i)j/, for all j' G J,j' j^ j, and satisfies 
the condition p' .x;i = 0; that is, p' G Ri such that p' .x;i = 0, p' .x;i = 0, and 
p'.brake-req(i,j r ) = False, for all j' G J,j' j^ j. 

Since the actions brick-wall(i') and unbrake(i)j/, for all j' G J, affect neither 
the position, nor the velocity of the vehicle i, it follows that p".x; = p'.Xi = p.x; 
and p" .i; = p'.ii = p.x;. Therefore, since the section of track owned by the 
vehicle i depends only on the position and the velocity of the vehicle i, it is 
the case that p" .0{ = p'.Oi = p.O{. Similarly, since the action brick-wall(i') 
does not affect the position of the vehicle i' but sets its velocity to zero and the 
actions unbrake(i)j/, for all j' G J, affect neither the position, nor the velocity 
of the vehicle i', it follows that p".Xii = p'-x^ = p.Xi* and p".i 8 / = p'-x^ = 0. 
Therefore, since p.O{ V\ p-O^ ^ 0, p" .0{ = p.Oi, and p" .x^ = p.Xji, it is the case 
that p".x % , G p".Oi. 

Now, consider the evolution of the VEHICLES automaton following the state p" 
in which the vehicle i moves forward and the vehicle i' remains stationary. Since 
p".Xii G p".Oi, it follows that at some state of such an evolution the action 
colliding-pair(i, i') is enabled and, subsequently, executed. The state of the 
VEHICLES automaton following the execution of the action colliding-pair(i, i') 
would, therefore, not be in G{. It follows that p" G - very-safe; which implies that 
P & safe % . 

Thus, for any input action it on port j, there exist p',p" G Ri satisfying p' G 
future^p^O) and p' -^ p" ', such that p" (j£ very-safe;. It follows that p (j£ safe;, as 
needed. 



Corollary 6.2.10 W t = safe % . 

Proof: Follows directly from Lemmas 6.2.8 and 6.2.9. I 

In the next few lemmas, we show that any state p in the set Tj-(i), for any t G M-°, is in the 
set delay- safest); that is, any state i? 8 -reachable from p within an amount of time t through 
an execution fragment that involves no input actions on port j, is in the set G ; and any 
state i? 8 -reachable from the state p in exactly an amount of time t through an execution 
fragment that involves no input actions on port j, is in the set safe;. 

Lemma 6.2.11 Let p G T;(t), where t G M-°, and p' G future;(p,t), where t G [0,r]. If 
p' G Gi and p' .G{(t — t) C p.Ci(T), then p' G T;(t — t). 
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Proof: We need to show that p' G Ri n Gi and that there does not exist i' G I,i' 7^ i such 
that p' .Ci(r — t) fl p' .G'i>(T — t) 7^ and p' .X{ < p'.Xii. We consider the conditions by cases: 

1. p' e Ri. 

This is the case because the function future j(p,t) only considers i? 8 -reachable states. 

2. V ' e d. 

This is true by assumption. 

3. $ i' G i", i' 7^ i, such that p' ' .Ci(r — i) fl p'.Cj-/(r — i) 7^ and p'.a;,- < p 1 .x^. 

Because p G Tj-(t) we have that for all i' G I, i' 7= i, such that p.a; 8 - < p.a;,-/, it is the 
case that p.Ci(r) P\ p.Cj-/(r) = 0; that is, for all i' G I,i' 7= i, such that p.a; 8 - < p.a; 8 /, it 
is the case that max(p. C 8 (r)) < min(p. C 8 /(r)). However, by assumption it is the case 
that p'.Ci(T — t) C p.Ci(r). Therefore, since the vehicle velocities are restricted to be 
non-negative, it follows that for all i' G I,i' 7= i, such that p'.a;,- < p 1 .x^i, it is the case 
that max(p'. C 8 (r — i)) < min(p'. C 8 /(r — i)). This is sufficient to guarantee that there 
does not exist i' G I,i' 7^ i, such that p' .G{(t — t) np'.C 8 '(r — t) 7^ and p'.a;,- < p'.Xii. 



Lemma 6.2.12 For all p G F'(r), where t G M-°, and p' G future^p^t), where t G [0,r], if 
is f/ie case f/iaf p' G G 8 ' anc? p' .Ci(r — t ) C p.Ci(r). 

Proof: Let r G 1R- and a be an execution fragment of the VEHICLES automaton of n steps 
and trajectories, where n G N, that: starts in a state in Tj-(r), is only comprised of states 
in Ri, involves no input actions on port j, and has a limit time t that lies in the interval 
[0, r]. Letting Pi n a and p^ Ka ; be the initial and final states of a, respectively, we must show 
that p final G Gi and Pfi na i-Ci(T — t ) C Pi n n.Ci(T). The proof is by induction on the length n 
of the execution fragment a. 

For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and, therefore, Pfi na i = Pinit 
and a.ltime = 0, i.e., t = 0. From Lemma 6.2. f, part f , and the fact that Pi n a G F(r), it 
follows that p^ Ka ; C Gi. Moreover, since t = 0, the fact that Pfi na i-Ci(T — t ) C Pi n n.Gi(T) is 
trivially true. 

The inductive step involves showing that if a is an execution fragment of length n = k + f , 
for some A; G N, with a.ltime = t, where t G [0,r], then Pfi na i G Gi and Pfi na i-Ci(T — t) C 
Pinit-Ci(T). Let a' be the part of the execution fragment a comprised of the first k steps 
and trajectories and let a'.ltime = t' , where t' G [0,i]. The induction hypothesis involves 
the assertion that if p' init and p't ina i are the initial and final states of a' , respectively, then it 
is the case that p'c na i G Gi and Pfi na i-Ci(T — t') C p' K , r C 8 (r). Moreover, from Lemma 6.2. ff 
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it follows that p'g na j G T 8 (r — t'). Since the final state of a is reached from the final state of 
a' by a single step or trajectory, the inductive step involves the consideration of all possible 
steps and trajectories leading from p'g na j to Pfi na i- 

In the case of a step, keeping in mind that the limit times of a' and a are equal, i.e., t' = t, 
we consider all possible actions by cases: 

1. the actions brake(i)j and unbrake(i)j are not enabled because a involves no input 
actions on port j. 

2. the brick-wall(i) action sets the velocity of the vehicle i to zero and does not affect 
the variables collided(i, i'), for i' G I,i' 7= i. 

From the induction hypothesis, it is the case that p'g na j G G{. Therefore, since the 
internal action brick-wall(i) does not affect the variables collided(i, i'), for i' G I,i' 7= 
i, it follows that Pfi na i G G{. 

Moreover, since the vehicle velocities are restricted to be non-negative, it is the case 
that Pfinai-ii < p'fi na i-%i- From Lemma 4.4.3, part 2, it follows that Pfi na i-Ci(T — 
t) ^ p'fi na j-Ci(T — t'). However, from the induction hypothesis it is the case that 
Pfinal- C i( T - *') ^ P'inir C i( T )- Therefore, since p mit = p\ niV it follows that Pfi na i.C t (T - 
t) C Pi n it.Ci(T), as needed. 

3. the actions brake(i')j/, unbrake(i')j/, for i' G I,j' G J,j' j^ j, and brick-wall(i"), 
for i" G I,i" 7^ i, affect neither the velocity of the vehicle i, nor the variables 
coUided(i, i'"), for i'" G /, %'" ^ i. 

From the induction hypothesis, it is the case that p'c na i G G{. Therefore, since the 
actions brake(i')j/, unbrake(i')j/, for i' G I,j' G J,j' j^ j, and brick-wall(i"), for 
i" G I,i" 7^ i, do not affect the variables collided(i,i'"), for i"' G I,i'" j^ i, it follows 

that pfi na l G G t . 

Moreover, since the input actions brake(i')j/, unbrake(i')j/, for i' G I,j' G J,j' j^ j, 
and the internal actions brick-wall(i"), for i" G I,i" j^ i, do not affect the velocity 
of the vehicle i, it is the case that Pfi na i-Zi = p'a na i-^i- From Lemma 4.4.3, part 2, it 
follows that Pfinal-Ci(T — t) C Pfi Ka ;-C 8 (r — t'). However, from the induction hypothesis 
it is the case that p'fi nal -Ci(T - t') C p ' init .C \{t) . Therefore, since p mit = p' init , it follows 
that Pfi na i.Ci(T - t) C pi n it.Ci(T), as needed. 

4. the actions colliding-pair(i', i"), for i' , i" G I,i' 7= i" , and collision-ef f ects(i'"), 
for i'" G I, are not enabled because a is only comprised of states in Ri and p'c na i G 
Ti(r - f). 

In the case of a trajectory, Lemma 4.4.4, part 2, implies that Pfi n al-Ci(T — t) C p'g na i-Ci(T — t'). 
However, from the induction hypothesis it is the case that Pfi na i-Ci(T — t') C p' K , r C 8 (r). 
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Therefore, since p init = p' init , it follows that Pfi na i-C t (T - t) C p m!i .C 8 (r). Moreover, since 
P'final ^ Gi and the variables collided(i , i') , for all i' G /, i' j^ i, remain constant throughout 
the trajectory, it follows that Pfi na i G Gi, as needed. I 

Lemma 6.2.13 For t G K-° one? i G [0,r], if is f/ie case that future j(Ti(T),t) C T 8 (r — i). 
Proof: Follows directly from Lemmas 6.2.11 and 6.2.12. I 

Lemma 6.2.14 For all t G M-°, if is f/ie case that Ti(t) C delay-safest) . 

Proof: We need to show that /wfwre 8 (T 8 (f), [0,f]) C G; and future ,-(Tj-(i),i) C sa/e 8 -. The 
first condition follows directly from Lemma 6.2.13 and Lemma 6.2.1, part 1. For the second 
condition, from Lemma 6.2.13 and Lemma 6.2.1, part 3, it is the case that future 8 -(T \(t),t) C 
W{. Therefore, Lemma 6.2.8, implies that future^Ti^t) , t) C safe^, as needed. I 

In the following lemma, we show that the CL-PROT-SOLO; protector implements the pro- 
tector Abs(yEKiCLES,Si,Ri,Gi,j,d). Since the protector automata cl-prot-solo; and 
Absj involve the composition of the same sensor automaton with distinct discrete con- 
troller automata, it suffices to show that the discrete controller automaton of the protector 
cl-prot-solo; implements the DC(veeicles, Si, Ri,Gi,j,d) automaton. 

Lemma 6.2.15 cl-prot-solo; < Abs(vEEiCLES, Si, Ri,Gi,j,d). 

Proof: Both the CL-PROT-SOLO; and the Absj protectors involve the composition of the 
same sensor automaton with distinct discrete controller automata. From Theorem 2.7.4, it 
suffices to show that the discrete controller automaton of CL-PROT-SOLO; implements DC j. 
This is shown by a simulation from the discrete controller automaton of CL-PROT-SOLO; to 
DCj. 

As in the overspeed case, the mapping between the states of the discrete controller automa- 
ton of CL-PROT-SOL0 8 ' and DC j is almost the identity. In the discrete controller automaton 
of cl-prot-solo 8 ', the variable sendj is equal to either one of the labels brake and unbrake, 
or the value null. In the abstract discrete controller automaton, these valuations simply 
map to either the actions brake(i)j and unbrake(i)j, or the value null, respectively. 

The start states for the discrete controller automaton of CL-PROT-SOLO; and DC j are the 
states in which sendj = null. These are mapped to each other according to the mapping 
discussed above. 

Furthermore, since the trajectories in both discrete controller automata are identical, we 
need only consider their discrete transitions. We analyze the actions of the implementation 
by cases, letting p denote any complete state of the VEHICLES automaton that corresponds 
to y, i.e., p G VALID and p|Tvehicles = V- 
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1. The snapshot(y)j action of the implementation sets sendj to brake, or unbrake. In 
order to show that the behavior of the implementation is allowed by the specification, 
we must show that the input action snapshot(y)j of the implementation sets the 
value of the sendj variable in such a way that the subsequently enabled action it of 
the implementation (i) guarantees that for all p',p" £ Ri such that p' £ future ^p^Gi) 
and p' -^ p" , it is the case that p" £ delay- safe^d), if p £ safe,-, and (ii) is an arbitrary 
output action of the implementation, otherwise. 

First, consider the case in which p £ safe^. Since Corollary 6.2.10 implies that p £ Wi, 
the discrete controller automaton of CL-PROT-SOLO; sets the variable sendj according 
to whether the state p is in Ti(d), or not. 

On one hand, if p £" Ti(d) then the discrete controller automaton of CL-PROT-SOLO; 
sets the variable sendj to brake and the brake(i)j action is enabled. However, since 
p £ Wi, Lemma 6.2.7 implies that p' £ Wi. Moreover, since the brake(i)j action affects 
neither the velocity of any of the vehicles, nor any of the collided variables, it follows 
that p" £ Ri, p" £ Gi, and p".ii = p'.&i. Therefore, Lemma 4.4.3, part 1, implies 
that p" .Oi C p'.Oi. From the above conditions and the non-negative constraint on the 
vehicle velocities, it follows that p" £ Wi. Moreover, since the brake(i)j action sets 
the brake-req(i,j) variable to True, it follows that p" £ V{. Finally, from Lemma 6.2.6 
it follows that p" £ delay- safe^d), as needed. 

On the other hand, if p £ Ti(d) then the discrete controller automaton of the protector 
CL-PROT-SOL0 8 ' sets the variable sendj to unbrake and the unbrake(i)j action is 
enabled. However, since p £ Ti(d), Lemma 6.2.13 implies that p' £ Ti(d). Since the 
unbrake(i)j action affects neither the velocity of any of the vehicles, nor any of the 
collided variables, it follows that p" £ Ri, p" £ Gi, and p".ii = p'.ii. Therefore, 
Lemma 4.4.3, part 2, implies that p".C'i(d) C p'.Ci(d). From the above conditions 
and the non-negative constraint on the vehicle velocities, it follows that p" £ Ti(d). 
Finally, from Lemma 6.2.14 it follows that p" £ delay- safe^d), as needed. 

Next, consider the case in which p £" safe^. In this case, the snapshot(y)j action of 
the discrete controller automaton of CL-PROT-SOLO; sets the variable sendj to either 
brake or unbrake and, subsequently, enables either the action brake(i)j, or the action 
unbrake(i)j. However, when p £" safe^, the DC j automaton sets the variable sendj 
arbitrarily and, subsequently, enables an arbitrary output action. Therefore, the 
behavior of the discrete controller automaton of CL-PROT-SOLO; is allowed by that of 
the DC j automaton. 

Therefore, the effects of the snapshot(y)j action of the implementation are allowed 
by its specification. 

2. The brake(i)j and unbrake(i)j actions have identical effects in both discrete controller 
automata. When the sendj variable matches the label brake or unbrake or the action 
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brake(i)j and unbrake(i)j, respectively, the respective action is performed and the 
sendj variable is set to null in both discrete controller automata. 

3. The environment action in both discrete controller automata is stuttering. It fol- 
lows that the mapping between the states of the discrete controller automaton of 
CL-PROT-SOL0 8 ' and the DC j automaton prior to and succeeding the execution of the 
environment action remains the same. 



Corollary 6.2.16 The protector CL-PROT-SOLO; guarantees G{ in the VEHICLES automaton 
starting from Si given R{. 

Proof: Follows directly from Lemma 6.2.15 and Theorem 3.2.9. I 



6.3 Protection System CL-PROT 

We now define the collision protector CL-PROT. While considering the CL-PROT automa- 
ton, we restrict the states of the VEHICLES automaton to the set P no t-overspeed as defined in 
Section 4.2, i.e., -R C l-prot = Pnot-overspeed- Let Gcl-prot and ^cl-prot be the intersection of 
Gi and Si, for all i £ I, respectively, and CL-PROT be the composition of the protectors 
CL-PROT-SOLO;, for all i G I. The protector CL-PROT guarantees that the VEHICLES au- 
tomaton remains within Gcl-prot starting from ^cl.prot given i? CL _p ROT - For reference, the 
formal definitions of the CL-PROT automaton and the sets Gcl-prot, ^cl-prot, an d -R C l-prot 
are shown in Table 6.2. 

Lemma 6.3.1 The protector CL-PROT guarantees Gcl-prot in the VEHICLES automaton 
starting from ^cl-prot given R CL -prot- 

In the following proof, we show that ah the states of an execution of PPx CL-PROT starting 
from ^cl-prot given -R C l-prot are in C cl _pr t- This is done by applying Theorem 3.1.8 and 
showing that the second condition of the theorem does not hold. 

Proof: Let a be any execution of the system PPx CL-PROT starting from a state in ^cl.prot 
and in which all states are in i? CL _pR OT - 

From Theorem 3.1.8, one of the following holds: 

1. Every state in a is in Gcl-prot = f)i el ^"i- 

2. a can be written as a\ ^ ci2, where 
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Table 6.2 Formal definitions of CL-PROT, Gcl-prot, ^cl-prot, an d Re 
CL-PROT = TT CL-PROT-SOLO; 

iei 



t^CL-PROT — Gi 

iei 



'JCL-PROT — I \ Ji 

iei 



-^CL-PROT — ^not-overspeed 



(a) All state occurrences in a\ except possibly the last state occurrence are in the 

Set Gcl-PROT = I I i g J Gi- 

(b) If the last state occurrence in a\ is in Gi, for some i £ I, then there exists 
i' £ /, i' zfz i 5 such that the last state occurrence in a.\ is in G{* . 

(c) All state occurrences in a.^ except possibly the first state occurrence are in the 
set Die at past(Gi,a), for some N C I, where |iV| > 2. 

We proceed by showing that it is not possible to decompose a as «i " a.^ while satisfying 
the three aforementioned conditions. 

The violation of P| ; e / ^i can oni y occu r through the violation of at least one of the 
conditions Gi, where i £ I. Moreover, each of these conditions are violated only through 
the execution of a colliding-pair action. Without loss of generality, suppose that the first 
condition that is violated in a is the condition Gi, for some i £ I, and that such a violation 
has resulted through a colliding-pair(i, i') action, for some i' £ I,i' ^ i. Let p and p' be 
the states of the VEHICLES automaton prior to and succeeding this colliding-pair(i, i') 
action, i.e., p,p' £ -R C l-prot such that p-^-p', where it = colliding-pair(i, i'). Since 
the colliding-pair(i, i') action only sets the collided(i , i') variable to True, it follows that 
p' £ Gi P| ( P| i „ e i ,7/4; G in j . Now, we attempt to decompose a as ot\ "" a^. 

1. Suppose we split a at any state preceding the state p. Then the state p is in a.^- Since 
p' is the first state in which one of the conditions Gi", for i" £ I, is violated, it is the 
case that p £ P| i" p / Gi" an d there does not exist NCI such that | JV| > 2 and p £ 
OieN past(Gi,a). Therefore, the third condition is violated and this decomposition 
of a is not valid. 
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2. Suppose we split a at the state p. Then the state p' is in a.^- Since p' is the first 
state in which one of the conditions Gi», for i" £ /, is violated and since the state 
p' is in G{ P| (P| i „ £ j i „ , 8 - £7 8 " ) , it follows that there does not exist NCI such that 
|iV| > 2 and p' G Plieiv past(Gi,a). Therefore, the third condition is violated and 
this decomposition of a is not valid. 

3. Suppose we split a at the state p' . Then p' is the last state of a\ and the first state of 
ci2. However, p' £ G{ f] ( P| i „ e j i „ ,^ G{n J . Therefore, the second condition is violated 
and this decomposition of a is not valid. 

4. Suppose we split a at any state succeeding p' . Then the state p' is in a.\. Since 
p' G Gi P| ( P| 8 ;; e j ^ Gin j , it is the case that p' g - f] 8 „ £ j Gj-». Therefore, the first 
condition is violated and this decomposition of a is not valid. 

Therefore, the execution a cannot be decomposed into any such a\ and a.^- It follows 
that the first clause of Theorem 3.1.8 must hold; that is, every state in a is in Gcl-prot- 
This implies that the protector CL-PROT guarantees Gcl-prot in the VEHICLES automaton 
starting from ^.prot given _R cl _ PRO t- ■ 
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Chapter 7 

Example 3: 

Collision Avoidance on Merging 

Tracks 



This chapter treats collision avoidance among vehicles that are traveling on a track involving 
a binary merge. We first augment the model of the PRT 2000™ to involve a track topology 
consisting of two merging tracks — the new model is referred to as the MERGE-VEHICLES 
automaton. Then we define the protector MERGE-PROT that guarantees that none of the 
vehicles of the MERGE-VEHICLES automaton collide, assuming that they are all abiding 
by the speed limit. The MERGE-PROT protector is defined as the composition of n(n — 
l)/2 separate copies of another protector called merge-prot-PAIRk,-/-}. , one copy for each 
unordered pair {i,i'} of vehicles of the MERGE-VEHICLES automaton, for i,i' £ I,i ^ i'. 
Each of these MERGE-PROT-PAIR/,- -n protectors, for i,i' £ I,i ^ i', is an implementation of 
a particular instantiation of the abstract protector automaton of Section 3.2 and guarantees 
that the vehicles i and i' do not collide into each other. 



7.1 Augmented Physical Plant: MERGE-VEHICLES 

In this section we augment the model for the system of n vehicles to involve a merge of two 
sections of track. We replace the position component of a vehicle's state with a location 
component — a component that specifies the track on which the vehicle is traveling and 
the vehicle's position with respect to the merge point — and update the definitions of 
the discrete steps and the trajectories of the VEHICLES automaton to handle the location 
variables. We replace the brake and unbrake input actions of the VEHICLES automaton 
with protect input actions which allow single protectors to instruct multiple vehicles to 
apply their "emergency" brakes. Finally, we augment the definitions of the discrete actions 
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pertaining to vehicle collisions such that the blame for a particular collision is assigned to 
either only the trailing vehicle, if one vehicle collides into the other vehicle from behind, or 
both vehicles, if the vehicles collide sideways while merging. 

The set of track locations in the VEHICLES automaton was a line. In the case of a binary 
merge, the set of locations is a Y-shaped track — two incoming branches and one outgoing 
branch. We define the set of locations L as follows: 

L = ({left, right} X R <0 ) U ({out} X R-°) 

Each location /, for / £ L, is comprised of two components; the first component represents 
the branch of the track on which the vehicle is traveling and the second component represents 
the position of the vehicle with respect to the merge point. The locations on the top branch 
of the merge have the label left and a negative real number as their respective components. 
Similarly, the locations on the bottom branch of the merge have the label right and a 
negative real number as their respective components. The locations on the merged section 
of the track are specified by the label out and a non-negative real number. The point 
(out, 0) is the first point on the merged section of the track that no two vehicles can occupy 
simultaneously. For notational brevity, we use l.b and l.x to denote the branch and the 
position components of the location /, respectively. 

We define a partial order on L, as follows. If (b\,xi) and (62,^2) are locations in L then 
(bi,xi) < (62,^2) if an d only if x\ < xi and either b\ = 62? or ^2 = out. In other words, 
two locations are incomparable if one specifies a location on the left branch and the other 
specifies a location on the right branch; otherwise, they are comparable and their order is 
given by the ordering on their real component. 

A closed interval in L is specified with an ordered pair of locations that are comparable, 
e.g., [(left, —1), (out, 2.5)], and contains all locations between them. Addition with non- 
negative scalars on L is defined as follows: if (b,x) is a location in L and y £ M- , then 
(b, x) + y is equal to (b, x + y) if x + y is negative, and (out, x + y) otherwise. It is important 
to note that for all y £ M- , lb, x) + y exists and lb, x) < ((b, x) + y). 

The automaton MERGE-VEHICLES of Figure 7.1 models a physical system of n vehicles 
traveling on a track involving a Y-shaped merge. The MERGE-VEHICLES automaton is the 
result of augmenting the VEHICLES automaton of Chapter 4 to allow for the Y-shaped track 
topology. 

In the new model, each of the position components X{ of the state of the VEHICLES automaton 
is replaced with the corresponding location component /,-. This entails simply replacing the 
occurrences of a;,- with Ij.x. The derived variables stop-distj, max-range^t) , and max-veli(t), 
for i £ / and t £ M- , defined for the VEHICLES automaton in Section 4.3, carry over 
unchanged to the MERGE-VEHICLES automaton. The derived variables E{, 0{, and C'i(t), 
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Figure 7.1 The MERGE-VEHICLES automaton. 



Actions: 

Input: 

e, the environment action (stuttering) 
protect(C)j, for all C G V{I),j G J 



Internal: 

colliding-pair(i, i ), for all i, i G I,i ^ i 
collision-eiiects(i), for all i G / 
brick-wall(i), for all i G / 



Variables 

Internal: 

i% G K, for all i G /, initially x t G K 
brake(i) G Bool, for all i G /, 

initially False 
brake-req(i, j) G Bool, for all i G /, J G J, 
initially False 
Output: 
I; 6 i, for all i G /, initially I, £l 
i 8 G K, for all i G /, initially x t G K 
collided(i, J ) G Bool, for all i, i E I,i =£ i, 
initially False 
subject to VALID 



Discrete Transitions: 



protect(C) J 










colliding-pair(i, i ) 


Eff: for all i G C 










Pre: -<coUided(i,i ) 


brake-req(i, j) : = True 










A(£ 8 n £,, / 0) 


if -<brake(i) then 










A(l 8 <min(£ 8 n£;/)) 


brake(i) : = True 










Eff: collided(i, i ) := True 


if x t =0 then x t : = 











if (li.b^lf.b) 


else x t : = 


Cbrake 








A(I t .b / out) A (1,1. b / ! 


for all i G / - C 










then 


brake-req(i, j) : = False 








collided(i' , i) := True 


if brake(i) A (-< Vk e J 


brake- 


req(i 


>*)) 


then 




brake(i) : = False 










collision-eff ects(i) 


Xi . (z \Cmini Cmax\ 










Pre: collided^* , i, *) 
Eff: i; :GR-° 
£ 8 :GR 

brick-wall(i) 
Pre: True 
Eff: i; := 

if brake(i) then x t : = 

else £ 8 :G [0, c : 



Trajectories: 

for all i, i' £ /, i / i', coUided(i,i') is constant throughout to 

for all i G / and j G J, brake(i) and brake-req(i, j) are constant throughout to 

for all i, i £ /, i / i 

the function wj.£ 8 is integrable 
for all i G Tj 

w(t).ii = w(0).ii + J w(s).x t ds 
w(t).li.x = w(0).li.x + J w(s).ii ds 
if -<w.coUided(i, i ) 

A(w(t).E t nw(t).E t , / 0) 
A(w(i) J 8 < mm(w(t).Ei n w(i).£ 8 <)) 
then 

i = w.ltime 
subject to VALID 
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for i £ I and t £ K-°, defined for the VEHICLES automaton in Sections 4.1 and 4.3, extend 
to the MERGE-VEHICLES automaton by replacing the position variables with their location 
counterparts. 

In the VEHICLES automaton, a collision between two vehicles is recorded solely by the 
trailing vehicle — as if it is the only vehicle blamed for the collision. The rationale behind 
this approach is that the trailing vehicle is the only vehicle that is capable of preventing a 
collision through braking; that is, the trailing vehicle is liable for the collision. This rationale 
carries over to the MERGE-VEHICLES automaton with the exception that in the MERGE- 
VEHICLES automaton it is possible for two vehicles to collide sideways while merging. In such 
situations, it is not clear which vehicle is liable for the collision and, therefore, the collision is 
recorded by both vehicles involved in the collision. This is done by augmenting the effects of 
the colliding-pair(i, i') actions, for i,i' £ I,i ^ i', so that a colliding-pair(i, i') action 
sets both the variables collided(i, i') and collided(i', i) to True when the vehicles i and i' are 
colliding sideways while merging. If indeed the vehicles i and i' are colliding sideways while 
merging, although both of the actions colliding-pair(i, i') and colliding-pair(i', i) are 
enabled, only one of them is actually executed and neither of them is enabled thereafter. 
The interpretation of the collided(i , i') variables, for i,i' £ I,i ^ i', still remains the same; 
that is, each of the variables collided(i, i'), for i,i' £ I,i ^ i', denotes whether the vehicle i 
has collided into the vehicle i' . However, if collided(i , i') = True and colUded(i',i) = False, 
then it follows that the vehicle i has collided into the vehicle i' from behind, where as, if 
collided(i, i') = True and collided(i', i) = True, then it follows that the vehicles i and i' have 
collided sideways while merging. 

The brake(i)j and unbrake(i)j actions of the VEHICLES automaton, for i £ I and j £ «/, 
are replaced by the protect(C)j actions, for C £ V(I) and j £ J. These actions enable a 
protector j to instruct each of the vehicles in the set of vehicles C to apply its "emergency" 
brakes. If a vehicle i is a member of C then it is requested to brake by the protector j, 
emulating a brake(i)j action of the VEHICLES automaton; otherwise, any previous request 
of the protector j to brake the vehicle i is revoked, emulating an unbrake(i)j action of the 
VEHICLES automaton. 

As in the case of the VEHICLES automaton, the set of input actions of the MERGE-VEHICLES 
automaton includes the actions protect(C)j, for C £ V(I) and j £ J; that is, the MERGE- 
VEHICLES automaton allows each protector j, for j £ «/, to brake any subset of the vehicles. 
However, it is often the case that a protector j, for some j £ «/, need not schedule but a 
subset of the actions protect (C)j, for C £ V{T). In such cases, the protector j is specified 
as having only the output actions that it is capable of scheduling and the remaining input 
actions of the MERGE-VEHICLES automaton on port j are ignored. 

The remaining state variables and discrete actions of the VEHICLES automaton as well as the 
notational shorthand collided(i , *) , collided^* , i) , and collided^* , i , *) , for all i £ /, defined 
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for the VEHICLES automaton in Section 4.1, carry over to the MERGE-VEHICLES automaton 
unchanged. 

In the case of the trajectories of the MERGE-VEHICLES automaton, it is important to note 
that due to the nature of the set of locations L, as the vehicles travel past the merge point, 
the branch component of their location variables changes from either left, or right to out. 

Finally, we redefine the set VALID to account for the new track topology. 



VALID C 


states(MERGE- 


vehicles), defined as the set of states 


of the 


MERGE-VEHICLES 


automaton that sa 


;isfy the following conditions: 








1. 


$ i,i' £ I,i ^ 


i' , such that the set E{ P\ E^ is a 


positive length closed interval 




of L. 










2. 


ii > 0, for all 


iei. 








3. 


If -icollided(*, 


i, *) then x % £ [c mm , c max ], for all 


iei. 






4. 


If -icollided(*, 

iei. 


i, *) A brake(i) then if X{ = then 


x i — 


else 


x i — c brakei l or all 



The MERGE-VEHICLES automaton complies with the assumptions made about the PP au- 
tomaton in Section 3.2.1. The MERGE-VEHICLES automaton has neither input variables, 
nor output actions, on any of its ports (Axioms 3.2.1 and 3.2.2, respectively). Moreover, 
each of the actions protect(Cj)j, for j £ J and Cj = {i \ brake-req(i,j) = True}, is a no-op 
input action on port j for any R C VALID. Therefore, the set of no-op input actions on 
each port j £ J and any R C VALID is non-empty (Axiom 3.2.3). 

Henceforth, we assume that the sets disjoint-extents(i,i'), disjoint-owned-tracks(i,i'), and 
disjoint-claimed-tracks(i,i',t), for i,i' £ I,i ^ i' and t £ M- , defined for the VEHICLES 
automaton in Section 4.3, have been extended to the MERGE-VEHICLES automaton to in- 
corporate the redefinitions of the derived variables used in their definitions. Moreover, we 
assume that the Lemmas 4.4.1, 4.4.2, 4.4.3, 4.4.4, and 4.4.5 extend to the MERGE-VEHICLES 
automaton in the obvious way. 

7.2 Auxiliary Sets for the MERGE-VEHICLES Automaton 

This section presents several auxiliary sets for the MERGE-VEHICLES automaton that are 
comprised of states that satisfy particular properties. While their formal definitions appear 
in Table 7.1, their informal descriptions follow. 

comparable(i , i'), for i,i' £ I,i ^ i' , is the subset of VALID comprised of the states in which 
the locations of the vehicles i and i' are comparable. 
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incomparable(i , i') , for i,i' £ I,i ^ i' , is the subset of VALID comprised of the states in 
which the locations of the vehicles i and i' are not comparable. 

yield-comparable(i,i'), for i,i' £ I,i ^ i' , is the subset of comparable(i , i') comprised of 
the states in which, in the case of a claim overlap between the vehicles i and i', the 
vehicle i must yield to the vehicle i'. When the locations of the vehicles i and i' are 
comparable, the vehicle i must yield to the vehicle i' if the location of the vehicle i is 
strictly less than the location of the vehicle i'. 

yield-incomparable(i,i r ), for i,i' E. I,i ^ i' , is the subset of incomparable(i , i') comprised of 
the states in which, in the case of a claim overlap between the vehicles i and i', the 
vehicle i must yield to the vehicle i'. When the locations of the vehicles i and i' are 
not comparable, the vehicle i must yield to the vehicle i' if either only the vehicle i' 
owns the merge point, or the vehicle i is traveling on the left branch and neither or 
both vehicles own the merge point. 

yield(i,i'), for i,i' £ I,i ^ i', is the subset of VALID comprised of the states in which, in 
the case of a claim overlap between the vehicles i and i', the vehicle i must yield to 
the vehicle i' in order to prevent a potential collision between the vehicles i and i'. 

Since the above definitions only depend on the output variables of the MERGE-VEHICLES au- 
tomaton, we often use the above sets to classify states of the output state set Imerge- vehicles- 

The following lemma describes some properties of the sets defined above. 

Lemma 7.2.1 For all i,i' £ I,i ^ i' , the following hold: 

1. VALID = comparable(i , i') U incomparable(i , i'). 

2. comparable(i , i') = yield-comparable(i, i') U yield- comparable(i' , i) . 

3. yield-comparable(i, i') n yield- comparable(i' , i) = 0. 

4- incomparable(i , i') = yield-incomparable(i,i') U yield-incomparable(i',i). 
5. yield-incomparable(i,i') n yield-incomparable(i',i) = 0. 

Proof: We prove each of the conditions separately: 

1. This follows directly from the definition of comparable(i , i') and incomparable(i, i'), for 
i,i' £ I,i j^ i' . 

2. For all i,i' £ I,i ^ i', the sets yield-comparable(i, i') and yield- comparable(i',i) are 
both subsets of the set comparable(i , i') . Therefore, it suffices to show that any 
state p in the set comparable(i , i') , for some i,i' £ I,i ^ i' , is either in the set 
yield-comparable(i,i r ), or in the set yield-comparable(i',i). 
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Table 7.1 Auxiliary sets for the MERGE-VEHICLES automaton. 

comparable(i, i') C VALID, for i, i' G /, « 7^ «', defined by 

comparable(i, i ) = {p £ VALID \ (p.li.b = p.lii.b) V (p.li.b = out) V (p.lii .b = out)} 

mcomparable(i, i') C VALID, for i, i' G /, i ^ i', defined by 
mcomparable(i, i') = VALID — comparable(i, i') 

yield- comparable(i, i') C comparable(i, i'), for i, i' G /, i ^ i', defined by 
yield-comparable(i, i') = {p£ comparable(i, i') \ p.li < p.li'} 

yield-incomparable(i, i') C mcomparable(i, i'), for i, i' G /, i ^ i', defined by 

yield-incomparable(i, i') = {p£ mcomparable(i, i') | ((out, 0) ^ p.Oi A (out, 0) G p.Oi') 

V ((out, 0) G p.Oi A (out, 0) G p.Oi' 

A p.li.b = left) 

V ((out, 0) £ p.Oi A (out, 0) £ p.Oi- 

A p.h.b = left)} 

yield(i, i') C VALID, for i, i' G /, i ^ i', defined by 

yield(i, i') = yield- comparable(i, i') U yield-incomparable(i, i') 



Let the state p be any state in comparable(i , i') , for some i,i' G i", i 7= i'. Since 
comparable(i , i r ) C VALID, it is the case that p G VALID. Therefore, the sections of 
the track occupied by the vehicles i and i' do not have a positive length closed interval 
overlap. It follows that it is not possible for their locations to coincide; that is, for any 
p G comparable(i , i') , it is the case that p.li 7= p-h*. Therefore, regarding the ordering 
of the locations of the vehicles i and i', there are only two viable cases: 

(a) p.li < p.li'. In this case, p G yield-comparable(i,i'). 

(b) p.lii < p.li. In this case, p G yield- comparable(i',i). 

3. If p G yield-comparable(i,i') then it is the case that p.li < p./;/. It follows that 
p G - yield- comparable(i',i). Similarly, if p G yield- comparable(i',i) then it is the case 
that p./,/ < p./ 8 '. It follows that p G - yield-comparable(i,i r ). This suffices. 

4. For all i,i' G i", i 7= i', the sets yield-incomparable(i,i r ) and yield-incomparable(i',i) 
are both subsets of the set incomparable(i , i r ) . Therefore, it suffices to show that any 
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state p in the set incomparable(i , i') , for some i,i' £ I,i ^ i', is either in the set 
yield-incomparable(i,i'), or in the set yield-incomparable(i',i). 

Let the state p be any state in incomparable(i, i'), for some i,i' £ I,i ^ i', and without 
loss of generality let the vehicle i be the vehicle traveling on the left incoming edge. 
Regarding the ownership of the merge point by each of the vehicles, there are four 
cases: 

(a) (out,0) £ P-Oi A (out,0) £ p.Oi'. In this case, p £ yield-incomparable(i,i') and 
p £" yield-incomparable(i',i). 

(b) (out, 0) £" p.OiA (out, 0) £" p.Oii. Similarly to above, p £ yield-incomparable(i, i') 
and p £" yield-incomparable(i',i). 

(c) (out,0) £" p.Oi A (out,0) £ p.Oii. In this case, p £ yield-incomparable(i,i r ) and 
p £" yield-incomparable(i',i). 

(d) (out,0) £ p.Oi A (out,0) £" p.Oii. In this case, p £" yield-incomparable(i,i r ) and 
p £ yield-incomparable(i',i). 

5. This condition follows from the analysis in the proof of condition 4. 



7.3 Protection System MERGE-PROT-PAlR{ i;i /} 

Each merge-prot-PAIRj-jj/i automaton, for i,i' £ I,i ^ i', is a vehicle-pair collision pro- 
tector and guarantees that the vehicles i and i' do not collide into each other, provided 
that all the vehicles are abiding by the speed limit and the vehicles of all other vehicle 
pairs do not collide between themselves. Each of the MERGE-PROT-PAlRrj-yi protectors, for 
i,i' £ I,i ^ i', is an implementation of the abstract protector of Section 3.2 specialized to 
particular definitions of the parameters PP, S , R, G, j, and d. 

The physical plant automaton, PP, is defined to be the MERGE-VEHICLES automaton of 
Figure 7.1. The port j and the sampling period d are defined to be the port and sampling 
period with which the protector MERGE-PROT-PAlRrj-yi communicates with the MERGE- 
VEHICLES automaton. They are assumed arbitrary and are fixed for the rest of the chap- 
ter. The set of "good" states G is defined to be the set of states in which the vehicles i 
and i' have not collided into each other, i.e., G = VALID- P co ui de d(i,i') ~ Pcollided(i',i)- 
In this chapter, we use the notation Gu^rx to denote the definition of G that is spe- 
cific to the MERGE-PROT-PAlRj-jj/i protector. The set R is defined to be the set R = 

Pnot-overspeedf] ( fl i" ,i'" e l,i"^i'",{i",i'"}^{i,i'} G{i»,i>»}) ■ This definition restricts the states of 
the MERGE-VEHICLES automaton to states in which all the vehicles are abiding by the 
speed limit and in which the vehicles of all other vehicle pairs {i",i'"}, for i",i'" £ I,i" ^ 
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i'",{i",i'"} 7^ {i,i'}, have not collided into each other. The set S is defined to be the set 
safe as defined in Section 3.2.1; that is, the set of states of the PP automaton for which 
a single input action of PP on port j can guarantee that, provided no new input actions 
on port j are allowed, all subsequently i?-reachable states will be in G. Once again, the 
definition of the set safe is specialized to the above definitions of the automaton PP, the 
sets R and G, and the port j. In this chapter, we use the notation Ruy\ and Su^n to refer 
to the above definitions of the sets R and S. 

The MERGE-PROT-PAIR/,- -n protector automaton is an implementation of the abstract pro- 
tector automaton ^4&s(merge-vehicles, Su^x, Ru^n, Guy\,j, d). More precisely, as is the 
case for the abstract protector Absj, we define the MERGE-PROT-PAlRr^-n automaton to be 
the composition of a sensor and a discrete controller automaton. These automata are im- 
plementations of their abstract equivalents of Figures 3.2 and 3.3 specialized, however, to 
the above definitions of the parameters PP, S , R, G, j, and d. The sensor automaton is 
precisely the specialization of the sensor automaton of Figure 3.2 to the above definitions 
of the parameters PP, etc. The discrete controller automaton is defined in Figure 7.2. 

The braking strategy of the MERGE-PROT-PAIR/,- -n protector is as follows. The protector 
is allowed to brake the vehicles i and i' only if the sections of the track they claim in time d 
overlap. Given that the vehicles i and i' are indeed involved in such a claim overlap, there 
are two possible scenarios depending on whether the locations of the vehicles i and i' are 
comparable, or not. If their locations are comparable, then the vehicle i is instructed to 
brake if it trails the vehicle i'; otherwise, the vehicle i' is instructed to brake. On the other 
hand, if the vehicle locations are not comparable, the vehicle i is instructed to brake either 
if only the vehicle i' owns the merge point, or if both or neither vehicles own the merge 
point and the vehicle i is traveling on the left branch; otherwise, the vehicle i' is instructed 
to brake. In the latter case, we choose to brake the vehicle traveling on the left branch for 
no particular reason. In fact, it is plausible to brake either or both of the vehicles involved 
in the claim overlap. However, if both of the vehicles were instructed to brake, it would 
be possible to reach a bottleneck state — a state in which both of the incoming vehicles 
involved in the claim overlap are instructed to brake thereafter and, subsequently, none of 
the trailing incoming vehicles would be capable of proceeding. 

The braking strategy considers the case in which both the vehicles i and i' own the merge 
point. Although this situation is a valid state of the MERGE-VEHICLES automaton, in the 
following section it is shown that such states are excluded from the reachable state set 
of the composition of the MERGE-VEHICLES automaton and all the MERGE-PROT-PAlR^-y} 
protectors, for i,i' £ I,i ^ i'. It is also important to note that, according to the braking 
strategy and provided that the sections of track owned by the vehicles i and i' are disjoint, 
if the locations of the vehicles i and i' are not comparable, then the section of the track 
owned by the vehicle to be braked is entirely upstream of the merge point. 
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Figure 7.2 Discrete controller automaton for the protector merge-prot-PAIRk,-/-}. . 

Actions: Input: e, the environment action (stuttering) 

snapshot(y)j, for each valuation y of Emerge- vehicles 
Output: protect(C)j, for C G V({i,i'}) 
Variables: Internal: sendj G V({i,i'}) U null, initially null 

Discrete Transitions: 

snapshot(y)j 

Eff: if y G - disjoint- claimed-tracks(i, i', d) then 
if y G yield(i, i') then 

sendj := {i} 
else 

sendj := {i'} 
else 

sendj := 

protect(C)j 

Pre: sendj = C 
Eff: sendj := null 

Trajectories: 

w. sendj = null 



It is important to note that the abstract protector automaton j 46s(merge-vehicles, Su^x, 
R{i,i'\i Gii t ia,j, d) complies with the assumptions made about the abstract protector in Sec- 
tion 3.2.1. In particular, since the vehicle location variables, the vehicle velocity variables, 
and the collided variables are output variables of the MERGE-VEHICLES automaton, the set 
safe is y MERGE _ V EHicLEs-determinable and actions that guarantee safety can be determined 
from the output variables of the MERGE-VEHICLES automaton (Axioms 3.2.4 and 3.2.5, 
respectively). Moreover, the sets Ruy\ and Gu^x are y MERGE _ V EHicLEs-determinable (Ax- 
ioms 3.2.6 and 3.2.7, respectively) and the set of start states Su^n is a subset of the set 
safe (Axiom 3.2.8), since Su^n is defined to be the set safe. 

In Section 3.1 it was shown that the abstract protector Absj guarantees that the physical 
plant PP remains within G starting from S given R. Similarly, the MERGE-PROT-PAIR/,- -n 
automaton guarantees that the MERGE-VEHICLES automaton remains within Gu^n starting 
from Su^rx given Ru^n. This is shown in the following section. 
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7.4 Correctness of MERGE-PROT-PAlR{ i;i /} 

The main result to be shown is that merge-prot-pair.^/} < ^4&s(merge-vehicles, S^^y, 
R{i,i'}-,G{i,i'}-,hd). Since both merge-prot-pair.^/} and ^4&s(merge-vehicles, S^^y, 
R{i,i'}iGfi t ii\,j,d) involve the composition of the same sensor automaton with distinct dis- 
crete controller automata, Theorem 2.7.4 applies. Therefore, it suffices to show that the 
discrete controller automaton of the protector MERGE-PROT-PAlRr^-n of Figure 7.2 im- 
plements the discrete controller automaton I?C(merge-vehicles, Su^n, Ru^y, Gu^x, j, d) 
of Figure 3.3. From Theorem 2.6.1, this follows by showing that there exists a simu- 
lation relation between the states of the discrete controller automaton of the protector 
MERGE-PROT-PAlRj-jj/} and the discrete controller automaton £>C(merge-vehicles, Sx^^iy, 
R{i,i'y^Gu^iy,j,d). We first give some set definitions, then prove some lemmas, and finally 
show the existence of such a simulation relation. 

In this section, we use the notation futureu^y, safes ^^y, very-safe u^y, and delay- safeujix 
to denote the specialization of the function future, the sets safe and very-safe, and the 
function delay-safe, which are defined in Section 3.2.1, to the automaton MERGE-VEHICLES, 
the sets Ruyy and Gu^y, and the the port j of the MERGE-PROT-PAlR/^n protector. 
Moreover, since the environment action of the MERGE-VEHICLES automaton is stuttering, 
its consideration is omitted in all inductive proofs involving the PP automaton. 

We proceed by defining several sets that are used in the correctness proof of the protector 
MERGE-PROT-PAIR/,- -n . For reference, their formal definitions appear in Table 7.2. 

Let Wuyy be the subset of R u^\ n G u^y comprised of the states in which the section of the 
track owned by the vehicle i does not overlap the section of track owned by the vehicle i'; 
that is, Wuyy = Rujiy H Gu^n P\ disjoint- owned-tracks{i,i'). 

Let Vjvj-/) be the subset of Wu^\ comprised of the states in which the vehicle i is being 
instructed to brake by the protector j and either the locations of the vehicles i and i' are 
comparable and /,- < /,/, i.e., the vehicle i is trailing the vehicle i', or the locations of the 
vehicles i and i' are incomparable and the section of the track owned by the vehicle i is 
entirely upstream of the merge point (out,0). Moreover, let Vu^n be defined as Vu^n = 

V (i,i') u V (i',i) ■ 

Let Tu^iy(t), where t G K-°, be the subset of Ru^y fl Gu^y comprised of the states in 
which the section of the track claimed in time t by the vehicle i does not overlap the 
section of the track claimed in time t by the vehicle i'; that is, Tu^ry(t) = Ruyy fl Gu^\ P\ 
disjoint- claimed-tracks(i, i' , t). 

The following lemma defines the relation among the sets Gu^ry, Wu^n, Vu^ix, and Tu^ry(t), 
for t G R^°. 

Lemma 7.4.1 For all t,t' G R-°, t < t' , the following hold: 
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Table 7.2 Sets used in the correctness proof of MERGE-PROT-PAlR^-y}. 

W {i)i , } C VALID, for i, i' El,i^ i' , defined by 

VFjj'j'/t. = R{i t iiy l~l Gjij'/i. n disjoint-owned-tracks(i,i') 

v (i,i') Q VALID, for i, i' E I,i ^ i' , denned by 

v (i,i r ) = {P £ W{i,«'} n p Bij I (p G comparable(i, i') Ap.k < p.k>) 

V(p£ incomparable(i, i') A max(j>.0 8 ) < (out, 0})} 

V{i,i'} Q VALID, for i, i' E I, i ^ i' , defined by 

V{i,i'} = V(i,i') U V(i',i) 

T{i,i'}(t) Q VALID, for i, i' El,i^ i' , and t E M^°, defined by 
T{i,i'}(t) = R{i,i'} flG^j/} fl disjoint-claimed-tracks(i, i' ,t) 

4. r {t - it -, } (o) = ^ {t -, t -, } . 

Proof: Follow directly from the definitions of the sets Vu^ix, Wu^n, and Tu^ix^t), where 
t E M.- , and Lemma 4.4.2. ■ 

In the following three lemmas, we show that any state .Rr,- -n-reachable from a state in V(, ,n 
through an execution fragment that involves no input actions on port j, is in Wu^n. In the 
first lemma, we show that if the final state of such an execution fragment is in Guy\ and the 
section of track owned by the vehicle i has not grown since the beginning of the execution 
fragment, then the final state of the execution fragment is in Wu^x. In the second lemma, 
we show that the final state of any such execution fragment is in Guy\ and the section of 
track owned by the vehicle i does not grow throughout the execution fragment. Finally, the 
third lemma combines these two results and states formally the desired property. 

Lemma 7.4.2 Let p G V(i «•') and p' G future n 8 -n(p, R-°). If p' G Gu^x and p'.Oi C p.Oi, 
then p' G W^yy. 

Proof: We need to show that p' G Wu^n ; that is, we need to show that the state p' is in the 
set Ruji\C\Guji\C\disjoint-owned-tracks(i, i'). By assumption, it is the case that p' G Guy\- 
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Therefore, it remains to be shown that p' G Ru^n and p' G disjoint-owned-tracks(i,i'). We 
consider these two conditions by cases: 

1- P' e R{i,i'}- 

This is the case because the function future u in(p, K-°) only considers i? r^n -reachable 
states. 

2. p' G disjoint-owned-tracks(i,i'). 

Since p G V(i,i'), there are two possible cases: (i) p G comparable(i , i') and p./ 8 - < p./ 8 ', 
and (ii) p G incomparable(i,i') and max(p.0 8 ) < (out,0). 

In the first case, it is as if the vehicle i is trailing the vehicle i' on a single track. Since 
P ^ V(i,i') — Wujix, the sections of the track owned by the vehicles i and i' in state 
p are disjoint. Since p G comparable(i,i') and p./ 8 - < p./ 8 ', it follows that max(p.0 8 ) < 
min(p.Oj-/). Moreover, Lemma 4.4.2, part 2, implies that max(p.0 8 ) < p./ 8 '. Therefore, 
because of the non-negative constraint on the vehicle velocities and the assumption 
that p'.Oi C p.Oi, it follows that p' G disjoint-owned-tracks(i,i'). 

In the second case, since max(p.0 8 ) < (out,0), the section of the track owned by 
the vehicle i in state p is strictly within the incoming directed edge p.lj.e. Since 
p'.Oi C p.Oi, the same is true for the section of track owned by the vehicle i in 
state p' . Therefore, since the vehicle i' is traveling on the adjacent incoming branch, 
it follows that p' G disjoint-owned-tracks(i,i'). 



Lemma 7.4.3 If p G V^^n and p' G future u 8 /i(p, M- ), then p' G Gu^n and p'.Oi C p.Oi. 

Proof: Let a be an execution fragment of the MERGE-VEHICLES automaton of n steps and 
trajectories, where n G N, that: starts in a state in Vuy\, is only comprised of states in 
Rujix, and involves no input actions on port j. Letting Pi n a and Pfi na i be the initial and 
final states of a, respectively, we must show that Pfi na i G Gu^n and Pfi na i-Oi C Pi n a.Oi. The 
proof is by induction on the length n of the execution fragment a. 

For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and therefore, Pfi na i = Pinit- 
From Lemma 7.4.1, part 2, and the fact that Pi n a G V^^n C Vu^ix, it follows that Pfi na i G 
G/j-yi. Moreover, the fact that Pfi na i-Oi C Pi n a.Oi is trivially true. 

The inductive step involves showing that if a is an execution fragment of length n = k + 1, for 
some k G N, then p^ Ka ; G <j /,- -;i and Pfi na i-Oi C Pi n a.Oi. Let a' be the part of the execution 
fragment a comprised of the first k steps and trajectories. The induction hypothesis involves 
the assertion that if p' njt and v'ti na i are ^ ne initial and final states of a', respectively, then 
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it is the case that p'g na j G G{i,i'} an d p'a n al- 0i ^ p\ nii .0{. Moreover, from Lemma 7.4.2 it 
follows that p'e na i G Wuy\. Since the final state of a is reached from the final state of a 1 
by a single step or trajectory, the inductive step involves the consideration of all possible 
steps and trajectories leading from p'c na i to Pfi na l- 

In the case of a step, we consider all possible actions by cases: 

1. the actions protect(C)j, for C G V({i,i'}), are not enabled because a involves no 
input actions on port j. 

2. the brick-wall(i) action sets the velocity of the vehicle i to zero and does not affect 
the collided(i , i') and colUded(i',i) variables. 

From the induction hypothesis, it is the case that p'g na j G Gu^x. Therefore, since the 
brick-wall(i) action does not affect the collided(i , i') and colUded(i',i) variables, it 
follows that p fina i G G{ iyi i\. 

Moreover, since the vehicle velocities are restricted to be non-negative, it is the case 
that pfinai.ii < p' final -x t . From Lemma 4.4.3, part 1, it follows that Pfi na i-O t C p' fina ,.O t . 
However, from the induction hypothesis it is the case that p'g na j-Oi C p' inir 0i. There- 
fore, since p init = p' miV it follows that Pfi na i-O t C p tmt .O t , as needed. 

3. the actions protect(C)j/, for C G V(I) and j 1 G J,j' 7= j, and brick-wall(i"), for 
i" G I,i" 7= i, affect neither the velocity of the vehicle i, nor the collided(i , i') and 
colUded(i',i) variables. 

From the induction hypothesis, it is the case that p'g na j G Gu^x. Therefore, since 
the actions protect(C)j/, for C G V(I) and j' G J,j' 7= j, and brick-wall(i"), for 
i" G I, i" 7^ i, do not affect the collided(i, i') and collided(i', i) variables, it follows that 

P final G G{i^\. 

Moreover, since the input actions protect(C)j/, for C G V(I) and j' G J,j' j^ j, and 
the internal actions brick-wall(i"), for i" G I, i" j^ i, do not affect the velocity of the 
vehicle i, it is the case that Pfi na l- X i = p'a na i-^i- From Lemma 4.4.3, part 1, it follows 
that Pfi n ai-Oi C p'fi na j-Oi. However, from the induction hypothesis it is the case that 
Pfinai- i ^ P'init-Oi- Therefore, since p mit = p\ niV it follows that p fin al-O t C p init .Oi, as 
needed. 

4. the internal actions colliding-pair(i", i'"), for i",i"' G I,i" j^ V" , and the inter- 
nal actions collision-eff ects(i""), for i"" G I, are not enabled because a is only 
comprised of states in Ruy\ and p'g na j G Wu^n. 

Since Pinit G V^^n C Pb, and the execution fragment leading from Pinit to p'g na j involves no 
input actions on port j, it follows that p'g na j G Pb % ■ Therefore, in the case of a trajectory 
from p' final to p final, Lemma 4.4.4, part 1, implies that Pfi na l-O t C p' fina ,.O t . However, from the 
induction hypothesis it is the case that p'g na j-Oi C p' inir 0i. Therefore, since Pinit = v'inia ^ 
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follows that Pfi n ai-Oi C Pinit-Oi. Moreover, since p'g na j G G{i,i'} an d the variables collided(i, i') 
and coUided(i',i) remain constant throughout the trajectory, it follows that Pfi na i G Gu^n, 
as needed. I 

Lemma 7.4.4 future {u n(V ( ai),R-°) C W {u , } . 

Proof: Follows directly from Lemmas 7.4.2 and 7.4.3. I 

In the following lemma, we extend the result of Lemma 7.4.4 to the set Vu^x. 

Lemma 7.4.5 future {iji , } (V {iii , } ,R*°) C W {h ,, } . 

Proof: Follows directly from Lemma 7.4.4 and the fact that Vu^ix = V(, ,n U Vui^y I 

In the following two lemmas, we use Lemma 7.4.5 to show that Vu^ix C very-safer —n and 
V{i,i'} — delay-safer nn{i), f° r an Y t G K-°, respectively. 

Lemma 7.4.6 Vu^ix C very-safe t ^ ^x. 

Proof: Follows directly from Lemma 7.4.5 and Lemma 7.4.1, part 1. I 

Lemma 7.4.7 For any t G M-°, it is the case that Vu^n C delay-safer —n(t). 

Proof: Follows directly from Lemma 7.4.6 and Lemma 3.2.5, part 1. I 

In the next three lemmas and the subsequent corollary, we show that the sets Wu^x and 
sa f e {ii'} are equal. First, we show that any state that is i^^n-reachable from a state p in 
W/j j/i through an execution fragment that involves no input actions on port j and has a 
limit time equal to zero, is in the set Wu^x. Then, we show that Wu^n C safes an and 
sa f e {ii'} ^ Wuyx. Finally, the subsequent corollary states that Wu^x = safes an. 

Lemma 7.4.8 future {ht , } (W {ht ,y 0) C W {U '}- 

Proof: Let a be an execution fragment of the MERGE-VEHICLES automaton of n steps, 
where n G N, that: starts in a state in Wu^n, is only comprised of states in Ru^n, involves 
no input actions on port j, and has a limit time equal to zero. Let Pi n a and Pfi na i be the 
initial and final states of a, respectively. By induction on the length n of the execution 
fragment a, we show that Pfi na i G Wu^n. 

For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of no steps and, therefore, Pfi na i = Pinit- Since Pi n a G Wu^n, 
it follows that p fina i G Ws_ iyi ,y. 
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The inductive step involves showing that if a is an execution fragment of length n = k + 1, for 
some k G N, then Pfi na i G Wu^n. Let a' be the part of the execution fragment a comprised 
of the first k steps. The induction hypothesis involves the assertion that if p't ina i is the final 
state of a' , then it is the case that p'c na i G Wuy\. Since the final state of a is reached from 
the final state of a 1 by a single step, the inductive step involves the consideration of all 
possible steps leading from p' final to p fina i. 

To complete the induction, we consider all possible discrete actions by cases: 

1. the actions protect(C)j, for C G V({i,i'}), are not enabled because a involves no 
input actions on port j. 

2. the brick-wall(i) action sets the velocity of the vehicle i to zero and affects neither 
the velocity of the vehicle i', nor the collided(i , i') and colUded(i',i) variables. 

From the induction hypothesis, it is the case that p'g na j G Wu^n C Guy\. There- 
fore, since the brick-wall(i) action does not affect the collided(i , i') and colUded(i',i) 
variables, it follows that Pfi na i G Gu^\. 

Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinal-ii < v'final-^i- Moreover, since the brick-wall(i) action does not affect the veloc- 
ity of the vehicle i' , it is the case that Pfi na i-Zi' = p'fi na i-^i'- From Lemma 4.4.3, part 1, 
it follows that p fina i.O t C p' final .O t and p fina i.O t > C p' final .Oi>. Therefore, since p' final G 
Wuyx C disjoint-owned-tracks(i, i'), it follows that Pfi na i G disjoint-owned-tracks(i,i'). 

Finally, since all states in a are, by definition, restricted to the set Ru^n, it follows 
that p fina i G W{ hl ry 

3. the brick-wall(i') action sets the velocity of the vehicle i' to zero and affects neither 
the velocity of the vehicle i, nor the collided(i , i') and colUded(i',i) variables. 

From the induction hypothesis, it is the case that p'c na i G JLj;,;'} ^ Guyx. Therefore, 
since the brick-wall(i') action does not affect the collided(i , i') and colUded(i',i) 
variables, it follows that Pfi na i G Gu^n. 

Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinal-ii' < P'final-^ i'- Moreover, since the brick-wall(i') action does not affect the ve- 
locity of the vehicle i, it is the case that Pfi na i-Zi = p'fi na i-^i- From Lemma 4.4.3, part 1, 
it follows that p fina i.Oi> C p' final .Oi> and p fina i.O t C p' fina ,.O t . Therefore, since p' find G 
JLji,;'} ^ disjoint-owned-tracks(i, i'), it follows that Pfi na i G disjoint-owned-tracks(i,i r ). 

Finally, since all states in a are, by definition, restricted to the set Ru^n, it follows 
that p fina i G W{ hl ry 

4. the actions protect(C)j/, for C G V{T) and j 1 G J,j' j^ j, and brick-wall(i"), for 
i" G I—{i, i'}, affect neither the velocities of the vehicles i and i', nor the collided(i, i') 
and colUded(i',i) variables. 
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From the induction hypothesis, it is the case that p'g na j G Wu^x C Gu^x. Therefore, 
since the actions protect(C)j/, for C G V(I) and j' G J,j' j^ j, and brick-wall(i"), 
for i" £ I — {i, i'}, do not affect the collided(i, i') and coUided(i', i) variables, it follows 

that p fi na l G <J{i,i'}. 

Moreover, since the input actions protect(C)j/, for C G V(I) and j 1 G J,j' j^ j, and 
the internal actions brick-wall(i"), for i" £ I — {i,i'}, do not affect the velocities 
of the vehicles i and i', it is the case that Pfi na i-i t = p final -x t and Pfi na i-x t > = p final -x t >. 
From Lemma 4.4.3, part 1, it follows that Pfi na i-O t C p' final .Oi and Pfi na i-O t > C p' final .Oi>. 
Therefore, since p'^/ G W/j-yi C disjoint-owned-tracks(i, i'), it is the case that Pfi na i G 
disjoint-owned-tracks(i, i'). 

Finally, since all states in a are, by definition, restricted to the set Ru^n, it follows 
that p fina i G W {ht ,y 

5. the internal actions colliding-pair(i", i'"), for i",i"' G I,i" j^ V" , and the inter- 
nal actions collision-eff ects(i""), for i"" G /, are not enabled because a is only 
comprised of states in Ruy\ and p'c na i G Wu^n. 



Lemma 7.4.9 Wuy\ C safeu^n. 

Proof: From the definition of safe in Section 3.2.1, we must show that any state p G Wji «•'} 
satisfies: (i) /Mtorer,- -;-i(p, 0) C Gu^x, and (ii) there exists some input action it on port j 
such that for every p',p" G Ru^a satisfying p' G futures j i>\(p, 0) and p' ^^ p", it is the case 
that p" G very-safes j ji\. 

(i) Since p G W/^j-zi , the first condition follows from Lemma 7.4.8 and Lemma 7.4.1, part 1. 

(ii) For the second condition, let it be the action protect(C)j, where C = {i}, if p G 
yield(i,i r ), and C = {i 1 }, otherwise. Without loss of generality, let p G yield(i,i r ) and 

Throughout the execution fragment from p to p' , the actions colliding-pair(i", i"'), for 
i",i'" G I,i" 7^ i'" , and collision-eff ects(i""), for i"" G /, are not enabled. Therefore, 
since none of the other discrete actions of the MERGE-VEHICLES automaton can increase 
the velocities of the vehicles i and i', Lemma 4.4.3, part 1, implies that p'.Oi C p.O{ and 
p 1 .Oil C p.Oi'. Moreover, since the protect({i})j action does not affect the velocity of 
the vehicle i, Lemma 4.4.3, part 1, implies that p" .0{ C p.Oi. Since p" .0{ C p.0 8 - and 
p G yield(i, i'), it is the case that in the state p" either the locations of the vehicles i and i' 
are comparable and the vehicle i is trailing the vehicle i', or the locations of the vehicles i 
and i' are not comparable and the section of track owned by the vehicle i is entirely upstream 
of the merge point (out, 0). 
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Moreover, considering the step from p' to p", the protect({i})j action affects neither the 
velocity of any of the vehicles, nor any of the collided variables. Therefore, since Lemma 7.4.8 
implies that p' £ Wr^n, it follows that p" £ Ru^x and p" £ Gu^x- In addition, since the 
protect({i})j action does not affect the velocities of the vehicles i and i', Lemma 4.4.3, 
part 1, implies that p" .0{ C p'.Oi and p".Oi> C p'.Oi*. Therefore, since p' £ Wu^n, it 
follows that p" £ disjoint- owned-tracks(i,i'). From the above conditions, it follows that 

p" e w w , } . 

In addition, since the protect({i})j action sets the variable brake-req(i,j) to True, it is 
also the case that p" £ Pg 8 . 

Thus, since p" £ Wu^n, p" £ Pe r , and either the locations of the vehicles i and i' in the 
state p" are comparable and the vehicle i is trailing the vehicle i', or the locations of the 
vehicles i and i' in the state p" are not comparable and the section of track owned by the 
vehicle i is entirely upstream of the merge point (out, 0), it follows that p" £ Vjvj-n C Vu^n. 

Finally, Lemma 7.4.6 implies that p" £ very-safes an, as needed. I 

Lemma 7.4.10 For any p £ Ru^x, if p £ safes j 8 -n then p £ Wu^x. 

Proof: We show the contrapositive; that is, for any p £ Ru^n, if p £" W/j-yi then p £" 
safes an- Since W/, j-n = -R{ 8j8 n fl <j/,- -n n disjoint- owned-tracks(i, i') and p £ i2r,- -;i, we 
consider the conditions p £" Gu^n and p £" disjoint-owned-tracks(i, i') separately. 

1- P ^ G {hl , } . 

From Lemma 3.2.4, part 1, it is the case that safeu 8 -n C Gu^n. Since p £" (j/,- -n, it 
follows that p £" safe^ 8 -n . 

2. p £" disjoint-owned-tracks(i,i'). 

We must show that p £" safes ^ix. In order for the state p £ -R{ 8j8 n to be in the 
set safeu in there must exist some input action it on port j such that for every 
p',p" £ Ruyx satisfying p' £ futures nn(p,0) and p' -^ p" , it is the case that p" £ 
very-safes i in. Therefore, it suffices to show that for any input action it on port j, 
there exist p',p" £ Ru^x satisfying p' £ futures nn(p,0) and p'-^-p", such that 
p" £" very-safe {iii , } . 

Without loss of generality, suppose that the vehicles i and i' are traveling on adjacent 
branches in the state p, i.e., p £ incomparable(i , i') , and let 7r = protect({i, i'})j. 

Since Lemma 3.2.1, part 3, implies that p £ future u 8 /j(p, 0), consider the case where 
p' = p. Since p' = p and the input action protect({i, i'})j affects neither the lo- 
cation, nor the velocity of the vehicles i and i', it follows that p" -U = p'./; = p./;, 
p".ii = p'.ii = p.&i, p" .l{i = p' -h' = p-U', and p".i 8 / = p'.i 8 ' = p.i 8 '. Therefore, 
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since the section of track owned by any vehicle depends only on its location and 
its velocity, it is the case that p".Oi = p'.Oi = p.Oi and p".Oi' = p'.Oi' = p.Oi*. 
Therefore, since p G - dis joint- owned-tracks(i,i'), p" .0{ = p.Oi, and p".Oi' = p-O^, 
it follows that p" G - dis joint- owned-tracks(i,i'). Moreover, since the vehicles i and 
i' are traveling on adjacent branches in state p, p" -U = p.li, p" ' .1^ = p-U', and 
p" G - dis joint- owned-tracks(i,i'), it follows that (out,0) G p" -0{ and (out,0) G p".Oi'. 

Again, without loss of generality, suppose that the vehicle i' is the first of the vehicles i 
and i' to reach the merge point (out, 0) and that the vehicles i and i' have not collided 
up until the point in time when the vehicle i' reaches the merge point. Moreover, 
consider the evolution of the MERGE-VEHICLES automaton following the state p" in 
which a brick-wall(i') action is executed at the exact instant in time when the 
location of the vehicle i' equals the merge point (out,0) and the vehicles i and i' 
move forward and remain stationary thereafter, respectively. Since (out,0) G p".Oi, 
it follows that at some state of such an evolution the action colliding-pair(i, i') is 
enabled and, subsequently, executed. The state of the MERGE-VEHICLES automaton 
following the execution of the action colliding-pair(i, i') would, therefore, not be 
in Gujix. It follows that p" G - very-safes j jn which implies that p G - safes an. 

Using similar analyses, it can be shown that for any p G Ru^x an d any input action 
7r on port j, there exist p',p" G Ru^a satisfying p' G futures —n (p, 0) and p' -^ p" ', 
such that p" (j£ very-safes a'\- It follows that p (j£ safes an, as needed. 



Corollary 7.4.11 W { a>} = safe {i ^. 

Proof: Follows directly from Lemmas 7.4.9 and 7.4.10. I 

In the next few lemmas, we show that any state p in the set Tsan(i), for any t G M-°, is 
in the set delay-safes j jn(t); that is, any state .Rr^n-reachable from p within an amount of 
time t through an execution fragment that involves no input actions on port j, is in the set 
Gsi^n and any state .Rk,-/-}. -reachable from the state pin exactly an amount of time t through 
an execution fragment that involves no input actions on port j, is in the set safes an- 

Lemma 7.4.12 Letp G T<an(r), where t G M-°, andp' £ future u ii\{jp,i), where t G [0,r]. 
If p' G G{a'}, p'-Ci(r - t) C p.C t (T), and p'.C^(t - t) C p.C 8 /(r), then p' G Ts_ iti ,y(T - t). 

Proof: We need to show that p' G Ru^a fl Gu^n n disjoint- claimed-tracks(i, i', t — t). Since 
p' G Gujix, it remains to be shown that p' G Ru^\ and p' G disjoint- claimed-tracks(i, i', t — 
t). We consider these two conditions by cases: 
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i- p' e R{i,i'y- 

This is the case because the function futures jji\(p,t) only considers Fr^n-reachable 
states. 

2. p' G disjoint- claimed-tracks{i, i' ,t — t). 

Since p G disjoint-claimed-tracks(i,i',T), p' .C{(t — t) C p.Ci(r), and p'.Cj-/(r — i) C 
p.Cj-/(r), it follows that p' G disjoint- claimed-tracks{i, i' ,t — t), as needed. 



Lemma 7.4.13 For a// p G TY^/t^t), where t G M-°, and p' G futures —n(p,t), where 
t G [0, r], if is f/ie case f/iaf p' G Gf,^,/}, p' .C{(t — t ) C p.C'i(T), and p' ' .C'i>(T — t ) C p.C 8 /(r). 

Proof: Let r G K-° and a be an execution fragment of the MERGE-VEHICLES automaton of 
ra steps and trajectories, where n G N, that: starts in a state in Tu^ix^t), is only comprised 
of states in Ru^x, involves no input actions on port j, and has a limit time t that lies in 
the interval [0, r]. Letting Pi n a and Pfi na i be the initial and final states of a, respectively, we 
must show that p fina i G G{ hl ,\, p fina i.C t (T-t) C p !Mi .C 8 (r), and p fina i.Ci>(T-t) C p m!i .C 8 /(r). 
The proof is by induction on the length n of the execution fragment a. 

For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and, therefore, Pfi na i = Pinit 
and a.ltime = 0, i.e., t = 0. From Lemma 7.4.1, part 1, and the fact that p !K!i G Tu^ix^t), it 
follows that Pfinai G G/j-yi . Moreover, since t = 0, the conditions Pfi na i-Ci{T — t) C Pinit-Ciir) 
and Pfi na i.Cii(T -t)C pi n it.Cii(T) are trivially true. 

The inductive step involves showing that if a is an execution fragment of length n = k + 1, 
for some A; G N, with a.ltime = t, where t G [0,r], then Pfi na i G Gr^n, Pfi na i-Ci{T — t) C 
Pinit-Ci(T), and Pfinal-Ci'(T — t) C pi n n.C V(r). Let a' be the part of the execution fragment 
a comprised of the first A; steps and trajectories and let a' .Itime = t' , where i' G [0,i]. The 
induction hypothesis involves the assertion that if p\ n ^ and p'u na i are the initial and final 
states of a', respectively, then it is the case that p'e na i G Gu^x, p'a na i-Ci(T — t') C p' K , r C 8 (r), 
and p'fi na i-Ci'(T — t') C p'- nir Cj-/(r). Moreover, from Lemma 7.4.12 it follows that p'^/ G 
^{j',;'}^ — t'). Since the final state of a is reached from the final state of a' by a single 
step or trajectory, the inductive step involves the consideration of all possible steps and 
trajectories leading from p' final to Pfi na \. 

In the case of a step, keeping in mind that the limit times of a' and a are equal, i.e., t' = t, 
we consider all possible actions by cases: 

1. the actions protect(C)j, for C G V({i,i'}), are not enabled because a involves no 
input actions on port j. 
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2. the brick-wall(i) action sets the velocity of the vehicle i to zero and affects neither 
the velocity of the vehicle i', nor the collided(i , i') and colUded(i',i) variables. 

From the induction hypothesis, it is the case that p'g na j G Gu^x. Therefore, since the 
brick-wall(i) action does not affect the collided(i , i') and colUded(i',i) variables, it 

follows that p fi na l G G{ iyi i\. 

Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinal-ii < v'final-^i- Moreover, since the brick-wall(i) action does not affect the veloc- 
ity of the vehicle i' , it is the case that Pfi na l- X i' = p'final- x i'- From Lemma 4.4.3, part 2, 
it follows that Pfi na l-C t (T - t) C p final .C t (T - t') and Pfi na i-Ci>(T - t) C p' final .Ci>(T - t'). 
However, from the induction hypothesis we have p'fi na i-Ci(T — t') C p' K!i .C 8 (r) and 
Pfinal- C i'( T ~ t ') ^ P'inif C i'( T )- Therefore, since p mit = p\ niV it follows that Pfi na l-C t (T - 
t) C pi n it.Ci(T) and Pfi na i.Cii(T - t) C p m!i .CV(r), as needed. 

3. the brick-wall(i') action sets the velocity of the vehicle i' to zero and affects neither 
the velocity of the vehicle i, nor the collided(i , i') and colUded(i',i) variables. 

From the induction hypothesis, it is the case that p'g na j G Gu^x. Therefore, since the 
brick-wall(i') action does not affect the collided(i , i') and colUded(i',i) variables, it 

follows that p fi na l G G{ij\. 

Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinal-ii' < P'final-^i'- Moreover, since the brick-wall(i') action does not affect the ve- 
locity of the vehicle i, it is the case that Pfi na l- X i = p'a n al- Xi - From Lemma 4.4.3, part 2, 
it follows that Pfi na l-C t (T - t) C p' final .Ci(T - t') and Pfi na l-C^(T - t) C p' final .Ci>(T - t'). 
However, from the induction hypothesis we have p'fi na i-Ci(T — t') C p' K!i .C 8 (r) and 
Pfinal- C i'( T ~ t> ) ^ P'inifCi'( T )- Therefore, since p mit = p' init , it follows that Pfi na l-C t (T - 
t) C pi n it.Ci(T) and Pfi na i.Ci'(T - t) C p m!i .CV(r), as needed. 

4. the actions protect(C)j/, for C G V(I) and j' G J,j' j^ j, and brick-wall(i"), for 
i" G I—{i, i'}, affect neither the velocities of the vehicles i and i', nor the collided(i, i') 
and colUded(i',i) variables. 

From the induction hypothesis, it is the case that p'g na j G Gu^x. Therefore, since 
the actions protect(C)j/, for C G V(I) and j' G J,j' j^ j, and brick-wall(i"), for 
i" £ I — {i,i'}, do not affect the collided(i , i') and colUded(i',i) variables, it follows 
that p final G <j{;,;/}. 

Moreover, since the input actions protect(C)j/, for C G V(I) and j 1 G J,j' j^ j, and 
the internal actions brick-wall(i"), for i" £ I — {i,i'}, do not affect the velocities 
of the vehicles i and i', it is the case that Pfi na l-i t = p' final -Xi and Pfi n al-x t > = p'fi n al- x ^- 
From Lemma 4.4.3, part 2, it follows that Pfi na i-Ci(T — t) C p'g na j-Ci(T — t') and 
Pfinal-Ci'(T — t) C p'fi na i-Ci'(T — t'). However, from the induction hypothesis we have 
Pfinal-C^-t') ^ rtnit- C i( T ) and P'finaV C A T ~ f ' ) ^ P\mf C ^ T )- Therefore, since p mit = 
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p' init , it follows that Pfi na i.C t (T - t) C p m!i .C 8 (r) and Pfi na i-Ci>(T - t) C p m!i .C 8 /(r), as 
needed. 

5. the internal actions colliding-pair(i", i'"), for i",i"' G i", i" 7^ i'", and the inter- 
nal actions collision-eff ects(i""), for i"" G I, are not enabled because a is only 
comprised of states in Ruy\ and p'g na j G Tu^\(t — t'). 

In the case of a trajectory, Lemma AAA, part 2, applies and it follows that Pfi na i-Ci(T — t)C 
p'fi na i-Ci(T — t') and Pfinal-Ci'(T-t) C p'fi na i-Ci'(T — t'). However, from the induction hypothesis 
it is the case that p' fina ,.C t (T -t') C p' mit .C l {T) and pJj na ,.C,-/(r- f ) C p' M - r C 8 ,(r). Therefore, 
since p m!i = p^ if , it follows that Pfi na i-C l (T-t) C p m!i .C 8 (r) andp^ a /.CV(r-f) C p m!i .C 8 /(r). 
Moreover, since Pfl na ; G G/^n and the collided(i , i') and coUided(i',i) variables remain 
constant throughout the trajectory, it follows that Pfi na i G Gu^n, as needed. I 

Lemma 7 AAA For t G K-° and t G [0,r], if is the case that futures —iy(Tu^iy(T),t) C 
T{i,i>}(r - t). 

Proof: Follows directly from Lemmas 7.4.12 and 7.4.13. I 

Corollary 7 A Ah For any t G K.- , it is the case that future, r,- ,-n (TV ,- •/-}.(£), 0) C Tr,- -;i(i). 
Proof: Follows directly from Lemma 7 '.4.14. I 

Lemma 7.4.16 Tor any t G M-°, if is the case that Tu^iy(t) C delay-safes— n(t). 
Proof: From the definition of delay-safe in Section 3.2.1, we must show that: 

1. future {iii , } (T {iti , } (t),[0,t]) C G {iii / } , and 

2. /wfwre {8i8 , } (T {8i8 / } (f),f) C safe {t)t , } . 

The first condition follows directly from Lemma 7 '.4.14 and Lemma 7.4.1, part 1. More- 
over, Lemma 7.4.14 and Lemma 7.4.1, part 4, imply that future i i ^y{Tu^i\{t),t) C WV^n. 
Therefore, the second condition follows from Lemma 7.4.9. I 

In the following lemma, we show that the MERGE-PROT-PAIR/,- -n protector implements the 
j 46s(merge-vehicles, Su^y, Ru^n, Guy\, j, d) protector. Since the protector automata 
merge-prot-PAIRj-jj/i and Absj involve the composition of the same sensor automaton 
with distinct controller automata, it suffices to show that the discrete controller automa- 
ton of the protector MERGE-PROT-PAlR/^n implements the discrete controller automaton 
T>C(MERGE-VEHICLES, S{i t iiy,R{i t iiy,G{i t ii\,j, d). 

114 



Lemma 7.4.17 MERGE-PROT-PAIR.^/} < ^4&s(mERGE-VEHICLES, Syi^y, Ryi :i iy,Gyi :i iy,j,d). 

Proof: Both the MERGE-PROT-PAIR/,- -n and the Absj protectors involve the composition 
of the same sensor automaton with distinct controller automata. From Theorem 2.7.4, 
it suffices to show that the discrete controller automaton of MERGE-PROT-PAlR/^n im- 
plements DCj. This is shown by a simulation from the discrete controller automaton of 
MERGE-PROT-PAIRj-jj/} to DCj. 

The mapping between the states of the discrete controller automaton of the protector 
merge-prot-PAIRj-jj/i and DCj is almost the identity. In the discrete controller automaton 
of merge-prot-PAIRj-jj/i, the variable sendj is equal to either a member ofV({i, i'}), or the 
value null. In DCj, these valuations simply map to either the actions protect(C)j, where 
C is the member of V({i, i'}) that corresponds to the valuation of the variable sendj of the 
discrete controller automaton of MERGE-PROT-PAlRr^-n, or the value null, respectively. 

The start states for the discrete controller automaton of MERGE-PROT-PAlRr^-n and DCj 
are the states in which sendj = null. These are related to each other according to the 
mapping discussed above. 

Furthermore, since the trajectories in both discrete controller automata are identical, we 
need only consider their discrete transitions. We analyze the actions of the implementation 
by cases, letting p denote any complete state of the MERGE-VEHICLES automaton that 
corresponds to the output state y, i.e., p £ VALID and p[~1merge- vehicles = V- 

1. The snapshot(y)j action of the implementation sets sendj to an element oiV({i,i'}). 
In order to show that the behavior of the implementation is allowed by the specifica- 
tion, we must show that the input action snapshot(y)j of the implementation sets the 
value of the sendj variable in such a way that the subsequently enabled action it of the 
implementation (i) guarantees that for all p',p" £ Ru^y such that p' £ future u 8 -n(p, 0) 
and p' -^ p" , it is the case that p" £ delay-safer; jn(d), if p £ safer; 8 -n , and (ii) is an 
arbitrary output action of the implementation, otherwise. 

First, consider the case in which p £ safer; 8 n . Since Corollary 7.4. 1 1 implies that p £ 
Wu^y, the discrete controller automaton of MERGE-PROT-PAIR/,- -n sets the variable 
sendj according to whether the state p is in Tu^iy(d), or not. 

On one hand, if p £" Tu^y(d) then the discrete controller automaton of the pro- 
tector merge-prot-PAIRj-jj/i sets the variable sendj to either {i}, or {i'} accord- 
ing to the strategy described in Section 7.3. Therefore, the snapshot(y)j action 
enables either the protect ({i})j action, or the protect({i'})j action. Since p £ 
Wfijix, Lemma 7.4.8 implies that p' £ Wu^n. Moreover, since the protect({i})j 
and protect({i'})j actions affect neither the velocity of any of the vehicles, nor any 
of the collided variables, it follows that p" £ Ruyy, p" £ Gu^y, p" .i; = p'.i;, 
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and p".Xii = p'.&ii. Therefore, since p' G Wu^n, Lemma 4.4.3, part 1, implies 
that p" G disjoint-owned-tracks(i,i'). From the above conditions, it follows that 
p" G Wujix. Moreover, since the protect({i})j and protect({i'})j actions set 
the brake-req(i,j) and brake-req(i' , j) variables, respectively, to True, it follows that 
p" G Vuyx. Finally, Lemma 7.4.7 implies that p" G delay-safe^ jn(d), as needed. 

On the other hand, if p G Tu^rx(d) then the discrete controller automaton of the pro- 
tector merge-prot-PAIRj-jj/i sets the variable sendj to and the protect(0)j action 
is enabled. Since p G Tu^x(d), Corollary 7.4.15 implies that p' G Tu^x(d). Moreover, 
since the protect(0)j action affects neither the velocity of any of the vehicles, nor 
any of the collided variables, it follows that p" G Ru^x, p" G Guy\, p" .X{ = p'.&i, 
and p".Xii = p'.&ii. Therefore, since p' G Tu^x{d), Lemma 4.4.3, part 2, implies 
that p" G disjoint-claimed-tracks(i,i',d). From the above conditions, it follows that 
p" G Tu^n(d). Finally, Lemma 7.4.16 implies that p" G delay-safe^ jn(d), as needed. 

Next, consider the case in which p G - safer—/-). In this case, the snapshot(y)j action 
of the discrete controller automaton of MERGE-PROT-PAlRrj-yi sets the variable sendj 
to either {i}, {«'}, or and, subsequently, enables either the protect({i})j action, 
the protect({i'})j action, or the protect(0)j action, respectively. However, when 
p (j£ safen 8 n , the DC j automaton sets the variable sendj arbitrarily and, subsequently, 
enables an arbitrary output action. Therefore, the behavior of the discrete controller 
automaton of the protector MERGE-PROT-PAlRr^n is allowed by that of the DC j 
automaton. 

Therefore, the effects of the snapshot(y)j action of the implementation are allowed 
by its specification. 

2. The protect(C)j actions, for C G V({i,i'}), have identical effects in both discrete 
controller automata. When the sendj variable matches either the set C, or the 
protect(C)j action, respectively, the action protect(C)j is executed and the sendj 
variable is set to null in both discrete controller automata. 

3. The environment action in both discrete controller automata is stuttering. It fol- 
lows that the mapping between the states of the discrete controller automaton of 
merge-prot-PAIRj-jj/i and the DC j automaton prior to and succeeding the execu- 
tion of the environment action remains the same. 



Corollary 7.4.18 The protector MERGE-PROT-PAlRr^n guarantees that the automaton 
MERGE-VEHICLES remains within Guy\ starting from Su^n given Ru^x. 

Proof: Follows directly from Lemma 7.4.17 and Theorem 3.2.9. I 
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Table 7.3 Formal definitions of MERGE-PROT, Gmerge-prot, Emerge- prot, and R 



MERGE-PROT- 



MERGE-PROT = TT MERGE-PROT-PAIR r 8 y-} 



(^MERGE-PROT — ^{i,i'} 



Jmbrge-prot — "{«,«'} 



-ftMERGE-PROT — ^not-oversveed 



7.5 Protection System MERGE-PROT 

We now define the collision protector MERGE-PROT. While considering the automaton 

MERGE-PROT, We restrict the States of the MERGE-VEHICLES automaton to P no t-overspeed as 

denned m oection 4.2, i.e., -Kmerge-prot = Pnot-overspeed- Let G merge _ PRO t and o merge _ PRO t 
be the intersection of Gu^n and Su^x, for all {i,i'}, where i,i' G I,i j^ i', respec- 
tively, and MERGE-PROT be the composition of MERGE-PROT-PAlRr 8 ' j8 7-}, for all {i,i'}, where 
i,i' G I,i 7^ i'. The protector MERGE-PROT guarantees that MERGE-VEHICLES remains 
within Gmerge-prot starting from ^merge-prot gi ven -Rmerge-prot- For reference, the for- 
mal definitions of the MERGE-PROT automaton and the sets Gmerge-prot, Emerge- prot, and 
-Rmerge-prot are shown in Table 7.3. 

Lemma 7.5.1 The protector MERGE-PROT guarantees that the MERGE-VEHICLES automa- 
ton remains within Ctmerge-prot jrom jmergb-prot given -Kmerge-prot- 

In the following proof, we show that all the states of an execution of PP X MERGE-PROT 
starting from ^merge-prot gi ven -Rmerge-prot are in Gmerge-prot- This is done by applying 
Theorem 3.1.8 and showing that the second condition of the theorem does not hold. 

Proof: Let a be any execution of the system PP X MERGE-PROT starting from a state in 
^merge-prot and in which all states are in -R M erge-prot- 

From Theorem 3.1.8, one of the following holds: 

1. Every state in a is in Gmerge-prot = fl ;,;' e l,i±i' G {i,i'}- 

2. a can be written as a\ "" a^, where 
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(a) All state occurrences in a\ except possibly the last state occurrence are in the 

Set G MERGE _ PRO T = | | iji g I,i^i' ^{i,! 1 }- 

(b) If the last state occurrence in a\ is in Gu^n, for some i,i' G I,i j^ i', then there 
exists i",i'" G I,i" j^ i'",{i",i'"} j^ {i,i'}, such that the last state occurrence in 
oi\ is in Gun «■'»}• 

(c) All state occurrences in a 2 except possibly the first state occurrence are in the 
se ^ fl U" i'"\ e N P as KG{i" : i'"}i a )i f° r some N C {{&,&'} | i,i' G I, i j^ i 1 }, where 
\N\ > 2. 

We proceed by showing that it is not possible to decompose a as «i " a 2 while satisfying 
the three aforementioned conditions. 

The violation of P| i 8 -, £ 1 i , 8 -, Gu^x can only occur through the violation of at least one 
of the conditions Gu^n, where i,i' G I,i j^ i'. Moreover, each of these conditions are 
violated only through the execution of a colliding-pair action. Without loss of generality, 
suppose that the first condition that is violated in a is the condition Gu^n, for some 
i,i' G I,i 7^ i' , and that such a violation has resulted through a colliding-pair(i, i') 
action. Let p and p' be the states of the MERGE-VEHICLES automaton prior to and succeeding 
this colliding-pair(i, i') action, i.e., p,p' G -Rmerge-prot such that p-^p', where it = 
colliding-pair(i, i'). Since the colliding-pair(i, i') action only sets the collided(i , i') 



variable to True, it follows that p' G Gs^^x f] [f]i",i'"el,i"^i'",{i",i'"}^{i,i'} ^M>'",«'"'} ) • Now, 
we attempt to decompose a as a\*~ a 2 : 

1. Suppose we split a at any state preceding the state p. Then the state p is in 
a 2 . Since p' is the first state in which one of the conditions Guii^nn, for i",i'" G 
/, i" zfz i'" 5 is violated, it is the case that p G H ;" 8 "' e / i"^;'" G{i",i'"} an d there 
does not exist N C {{i",i m } \ i",i m G I,i" ^ i'"} such that \N\ > 2 and p G 
fl {«" i'"\ e N P as KG{i",i'"}, a )- Therefore, the third condition is violated and this de- 
composition of a is not valid. 

2. Suppose we split a at the state p. Then the state p' is in a 2 . Since p' is the first 
state in which one of the conditions Guii^nn, for i",i'" G I,i" j^ i 1 ", is violated and 

since the state p' is in Gs^^x f] (fl ;»,;'" e l,i"^i'",{i",i'"}^{i,i'} C-j>'",i'"}) i ^ follows that 
there does not exist N C {{i",i'"} \ i",i'" G I,i" ^ i'"} such that |JV| > 2 and 
p' G f] U" i'"} e N P as K.G{i",i'"}, a )- Therefore, the third condition is violated and this 
decomposition of a is not valid. 

3. Suppose we split a at the state p'. Then p' is the last state of a\ and the first state 



of a 2 . However, p' G Gx^^x f| iCli'iy" e l,i"^i'",{i",i'"}^{i,i'} ^{i'V"} )• Therefore, the 
second condition is violated and this decomposition of a is not valid. 

4. Suppose we split a at any state succeeding p'. Then the state p' is in a\. Since 
p' G G{ iti iy f| (fl ;»,;'" e l,i"^i"',{i",i'"}jt{i,i'} ^{i",i'"} ) ' ^ follows that the state p' is not 



118 



in the set P| 8 „ 8 „, £ j 8 „ / 8 „, Gun^mx. Therefore, the first condition is violated and this 
decomposition of a is not valid. 

Therefore, the execution a cannot be decomposed into any such a\ and a.^- It follows that 
the first clause of Theorem 3.1.8 must hold; that is, every state in a is in Gmerge-prot- This 
implies that the protector MERGE-PROT guarantees G M erge-prot in the MERGE-VEHICLES 
automaton starting from ^merge-prot gi ven -Rmerge-prot- ■ 
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Chapter 8 

Example 4: 

Collision Avoidance on a General 

Graph of Tracks 



In this chapter, we consider a general track topology involving binary merges and diverges. 
We first augment the model of the PRT 2000™ to involve a track topology consisting of 
multiple branches interconnected by Y-shaped merges and diverges — the new model is 
referred to as the GRAPH-VEHICLES automaton. Then we define the protector GRAPH-PROT 
that guarantees that none of the vehicles of the GRAPH-VEHICLES automaton collide, assum- 
ing that they are all abiding by the speed limit. The GRAPH-PROT protector is defined as the 
composition of n(n— 1)/2 separate copies of another protector called GRAPH-PROT-PAIR r^n, 
one copy for each unordered pair {i,i'} of vehicles of the GRAPH-VEHICLES automaton, for 
i,i' G I,i 7^ V . Each of these GRAPH-PROT-PAIR /,- -n protectors, for i,i' £ I,i ^ i', is an im- 
plementation of a particular instantiation of the abstract protector automaton of Section 3.2 
and guarantees that the vehicles i and i' do not collide into each other. 

8.1 Augmented Physical Plant: GRAPH-VEHICLES 

In this section we augment the model for the system of n vehicles to involve a track topology 
involving binary merges and diverges. This is done by extending the definition of the 
location of a vehicle to support a graph of tracks and by introducing an additional internal 
discrete action which is used to update the location variables of the vehicles as they cross 
the junction points in the track topology. 

The track topology is represented by a directed graph G = (V,E), where V and E denote 
the sets of vertices and edges of the graph 67, respectively. The vertices and edges of the 
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graph G correspond, respectively, to the junctions and branches of the track topology. Any 
edge e of the graph G is specified by an ordered pair of vertices that denote the initial and 
the final vertices of the directed edge e, i.e., e = {vi n a,Vfi na i). We use the notation e.f !Mi 
and e.Vfi na i to denote the initial and final vertices of the edge e, respectively. The function 
length : E —> M- maps an edge to its length. Moreover, the functions in(v), out(v), and 
e(v ) map the vertex v of the graph G to its sets of incoming edges, outgoing edges, and 
both incoming and outgoing edges, respectively; that is, in : V — ► V(E), out : V — ► V(E), 
and e :V —f V{E), with e(v) = in(v) U out(v), for all v G V. 

The graph G, as defined above, is assumed to satisfy the following conditions: 

• All the edges of the graph G are of sufficient length to rule out collisions among vehicles 
that are neither on identical, nor on contiguous edges; that is, if d max is the maximum 
sampling period of all the protectors under consideration, the length of each edge 
in the graph G is greater than Ax max = c max d max - c 2 max l2c hrake — the maximum 
distance a vehicle can travel if left free for d max time units and instructed to brake 
thereafter, under the assumption that the vehicle does not collide and is abiding by the 
speed limit. This restriction rules out the possibility of a vehicle having a d max time 
unit claim overlap with a vehicle that is more than one edge upstream or downstream. 

• All the merges and diverges of the graph G are Y-shaped; that is, for each vertex v 
in the graph G, it is the case that (\in(v )|, \out(v)\) £ {(1, 1), (2, 1), (1,2)}. 

• All cycles must contain at least three edges. This condition ensures that the ordering 
of the locations of vehicles traveling on successive branches of the track topology is 
well defined. 

Any point on the graph G is represented by a pair consisting of the directed edge of the 
graph G and the distance of the particular point from the initial vertex of the directed edge. 
The formal definition of the set L of locations is as follows: 

L = {(e, x) | e G E and x £ [0, length(e)]} 

The set of locations is constrained by the length of the edges of the graph G; that is, for 
/ G L and / = {e,x), it is the case that x £ [0, length(e)]. We use the notation l.e and l.x 
to denote the edge and position components of the location /, respectively. It is important 
to note that, in this representation scheme, the vertices of the graph G have non-unique 
representations; that is, for all edges e,e' G E, with e.Vfi na i = e'.f !Mi , it is the case that 
the location / = (e, length(e)) is identical to the location /' = (e',0). Finally, two locations 
in L are comparable if they are locations either on identical, or on successive edges, i.e., 
the locations 1,1' E. L are comparable only if either l.e = I'.e, or l.e.Vfi na i = l'.e.Vi n a or 
i.e.V{ n {i — i .e.Vji na i. 
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Addition of a non-negative scalar y to a location / £ L, where / = (e, x), maps the location 
/ to the set of locations that can be reached from the location / by traveling a distance 
y downstream. The set (e,x) + y always exists and is defined to be either the singleton 
{(e, x + y)}, if x + y < length(e), or the set |J e e ut(e.v final ) « e > °) + i x + V ~ length(e))), 
otherwise. This definition handles the cases in which the locations (e,x) + y extend past a 
single split or merge, or even multiple splits and/or merges in the track topology. 

It is important to note that addition of a location / with a non-negative scalar that is 
bounded by the minimum distance from the location / to the closest second junction down- 
stream results in a set of locations in which each location /' is comparable to the loca- 
tion / and satisfies the inequality / < /'; that is, for all / £ L, where / = {e,x), and 
y £ [0, length(e) — x + min eeout ( e \ length(e)], the location / is comparable to all loca- 
tions in / + y and, moreover, / < /', for all /' £ / + y. In particular, since the length of each 
edge of the graph G is assumed to be greater than Ax max , addition of a location / with 
a non-negative scalar y < Ax max results in a set of locations in which each location /' is 
comparable to the location / and satisfies the inequality / < /'. 

A closed interval in L is specified with an ordered pair of comparable locations and contains 
all locations between them, e.g., [(ei, x\), (e^, #2)]- The partial ordering on comparable 
locations in L is as follows: (e\,x\) < {ei,X2) if and only if either x\ < xi and e\ = e^, or 

ei-V final = e 2 .Vi n i t . 

Due to the fact that the extent of a vehicle may extend beyond a split in the track topology, 
we redefine the notion of the section of the track occupied by a particular vehicle as the 
union of the intervals extending from the current position of the vehicle to a point on the 
track that is a distance c\ en downstream; that is, the extent of a vehicle i £ / is the set 

In view of breaking the right-of-way symmetry when vehicles approach a merge in the track 
topology, we must define a prioritization scheme. In Chapter 7, the prioritization was based 
on the configuration of the merge; namely, the vehicle traveling on the right branch of the 
merge had priority over a vehicle traveling on the left branch. In the case of the graph 
of tracks, the notion of either left, or right is not well defined. Therefore, we associate 
a unique priority index to each edge of the graph and give priority to vehicles traveling on 
the edge whose priority index is greater. Let the function priority be an injection from the 
set of edges E of the graph G, to the set of natural numbers N; that is, priority : E —^ N, 
where for any e, e' £ E, e ^ e' , it is the case that priority(e) ^ priority(e'). 

The new model of the physical system, called GRAPH-VEHICLES, is presented in Figure 8.1. 
The GRAPH-VEHICLES automaton is the result of augmenting the MERGE-VEHICLES automa- 
ton of Chapter 7 so as to involve a general track topology consisting of Y-shaped merges and 
diverges. Each of the reset-location(i) actions, for i £ /, is enabled when the vehicle i 
has reached the final point of the directed edge on which it is traveling, i.e., the vehicle i 
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Figure 8.1 The GRAPH-VEHICLES automaton. 



Actions: 

Input: 

e, the environment action (stuttering) 
protect(C)j, for all C G T(I),j G J 



Internal: 

colliding-pair(i, i ), for all i, i G I,i ^ i 
collision-eiiects(i), for all i G / 
brick-wall(i), for all i G / 
reset-location(i), for all i G / 



Variables 

Internal: 

i% G K, for all i G /, initially x t G K 
brake(i) G Bool, for all i G /, 

initially False 
brake-req(i, j) G Bool, for all i G /, J G J, 
initially False 
Output: 
I; 6 i, for all i G /, initially I, £l 
i 8 G K, for all i G /, initially i, 6M 
collided(i, J ) G Bool, for all i, i E I,i ^ i, 
initially False 
subject to VALID 



Discrete Transitions: 



protect(C) J 










colliding-pair(i, i') 


Eff: for all i G C 










Pre: -<coUided(i,i ) 


brake-req(i, j) : = True 










a(£ 8 n £,, / 0) 


if -<brake(i) then 










A(h <min(£ 8 C\ E t ,)) 


brake(i) : = True 










Eff: collided(i, i ) := True 


if x t =0 then x t : = 











if (l,.e / l,/.e) 


else x t : = 


Cbrake 








A(l 8 .e.«/; Ka ; = l.i.e.V final) 


for all i G / - C 










then 


brake-req(i, j) : = False 








collided(i , i) := True 


if brake(i) A (-< Vk e J 


brake- 


req(i 


>*)) 


then 




brake(i) : = False 










collision-eif ects(i) 


Xi . (z \Cmini Cmax\ 










Pre: collided^* , i, *) 
Eff: i; :GR-° 
i % :GR 


reset -location(i) 










brick-wall(i) 


Pre: l t .x = length(I t .e) 










Pre: True 


Eff: l t .e :G out(L.e) 










Eff: ii := 


l t .x : = 










if brake(i) then £ 8 := 

else x t :G [0, c : 



Trajectories: 

for all i, i E I,i ^ i , collided(i, i ) is constant throughout w 

for all i G / and j G J, brake(i) and brake-req(i, j) are constant throughout to 

for all i, i £ /, i / i 

the function wj.£ 8 is integrable 
for all i G ^ 

w(t).ii = w(0).ii + J w(s).Xi ds 
w(t).li.x = w(0).li.x + J w(s).ii ds 
if -<w.coUided(i, i ) 

A(a)(l).£,n!i.(()J,. / 0) 
A(w(t).li < mm(w(t).Ei l~l w(t).£;/)) 
then 

i = w.ltime 
if w(t).l t .x = length(w(t) J t .e) then 
i = w.ltime 
subject to VALID 
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is located on a vertex of the graph G. At that point in time, its location is nondetermin- 
istically set to the initial point of an arbitrary outgoing edge of the vertex on which the 
vehicle i is located. 

The remaining state variables, derived variables, and discrete actions of either the VEHICLES 
automaton of Chapter 4, or the MERGE-VEHICLES automaton of Chapter 7 as well as the 
notational shorthand collided(i , *) , collided^* , i) , and collided^* , i , *) , for all i £ I, defined 
for the VEHICLES automaton in Section 4.1, carry over to the GRAPH-VEHICLES automaton 
unchanged. 

As in the case of the MERGE-VEHICLES automaton, the set of input actions of the GRAPH- 
VEHICLES automaton includes the actions protect(C)j, for C £ V{I) and j £ J; that is, 
the GRAPH-VEHICLES automaton allows each protector j, for j £ «/, to brake any subset 
of the vehicles. However, it is often the case that a protector j, for some j £ «/, need 
not schedule but a subset of the actions protect (C)j, for C £ V{L). In such cases, the 
protector j is specified as having only the output actions that it is capable of scheduling 
and the remaining input actions of the GRAPH-VEHICLES automaton on port j are ignored. 

The VALID set of the GRAPH-VEHICLES automaton is the redefinition of the VALID set of 
the VEHICLES automaton to account for the new track topology representation. 



VALID C 


states(GRAPE- 


vehicles), defined as the set of states 


of the GRAPH 


-VEHICLES 


automaton that sa 


;isfy the following conditions: 








1. 


$ i,i' £ I,i ^ 
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fl Eii contains 
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len 


gth closed 
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ii > 0, for all 


iel. 










3. 


If -icollided(*, 


1^^) Xnen X{ t [Cmim Gmaa 


.], for all i e L. 








4. 


If -icollided(*, 


i, *) A brake(i) then if X{ 


= then Xi = 


else Xj = 


Cbrake, for all 




iel. 













The GRAPH-VEHICLES automaton complies with the assumptions made about the PP au- 
tomaton in Section 3.2.1. The GRAPH-VEHICLES automaton has neither input variables, nor 
output actions, on any of its ports (Axioms 3.2.1 and 3.2.2, respectively). Moreover, each 
of the actions protect(Cj)j, for j £ J and Cj = {i \ brake-req(i,j) = True}, is a no-op 
input action on port j for any R C VALID. Therefore, the set of no-op input actions on 
each port j £ J and any R C VALID is non-empty (Axiom 3.2.3). 
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8.2 Auxiliary Derived Variables and Auxiliary Sets for the 
GRAPH-VEHICLES Automaton 

In this section, we define auxiliary derived variables and sets for the GRAPH-VEHICLES 
automaton. Most of these variables and sets carry over from either the VEHICLES, or the 
MERGE-VEHICLES automata. In such cases, the variables and sets are redefined only when 
their extension to the GRAPH-VEHICLES automaton is not obvious. 

As in Chapter 7, we assume that the variables stop-distj, max-range^t), and max-veli(t), 
defined for the VEHICLES automaton in Section 4.3, extend to involve location instead of 
position variables in the obvious way. 

As in the case of the extents of the vehicles of the GRAPH-VEHICLES automaton, we redefine 
the sections of track owned and claimed by the vehicles in the GRAPH-VEHICLES automaton. 
While their formal definitions appear in Table 8.1, their informal interpretations follow. 

Oi, for i G I, is the section of track that the vehicle i "owns". A vehicle i owns all 
track intervals that extend from the current position of the vehicle i to the points on 
the track that the vehicle i can reach even if it is braked immediately. Due to the 
possibility of such track intervals extending beyond a split in the track topology, the 
variable Oi is the union of all the intervals that the vehicle i owns. 

Ci(i), for i £ I and t G K-°, is the section of track that the vehicle i "claims" within t time 
units. A vehicle i claims within t time units all track intervals that extend from the 
current position of the vehicle i to the points on the track that the vehicle i can reach 
if braked after t time units and assuming worst-case vehicle behavior up to the point 
in time when it is braked. Due to the possibility of such track intervals extending 
beyond a split in the track topology, the variable C'i(t) is the union of all the intervals 
that the vehicle i claims within t time units. 

Henceforth, we assume that the sets disjoint-extents(i,i'), disjoint-owned-tracks(i,i'), and 
disjoint-claimed-tracks(i,i',t), for i,i' G I,i ^ i' and t G K-°, defined for the VEHICLES 
automaton in Section 4.3, have been extended to the GRAPH-VEHICLES automaton to in- 
corporate the redefinitions of the derived variables used in their definitions. Moreover, we 
assume that the Lemmas 4.4.1, 4.4.2, 4.4.3, 4.4.4, and 4.4.5 extend to the GRAPH-VEHICLES 
automaton in the obvious way. 

Several auxiliary sets for the GRAPH-VEHICLES automaton are described below. Their formal 
definitions appear in Table 8.2. 

successive(i,i'), for i,i' G I,i j^ i', is the subset of VALID that consists of the states 
in which the vehicles i and i' are traveling in succession either on the same, or on 
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Table 8.1 Auxiliary derived variables for the GRAPH-VEHICLES automaton. 
Oi C L, for all i £ I, defined by 

Oi= U M] 

l'i G /^(stop-dzst^ + Cien. ) 



Ci(t) C £, for all i £ 7 and t £ M^°, defined by 

c,-W= u M] 

^ £ l t -\-(max-range t (t)— max-vel t (t) 2 / (2c hrake ^-\-ci en ) 



successive directed edges; that is, states in which either the vehicle i is downstream 
of the vehicle i', or the vehicle i' is downstream of the vehicle i. 

adjacent(i, i'), for i,i' £ I,i ^ i', is the subset of VALID that consists of the states in which 
the vehicles i and i' are traveling on different tracks that lead to the same junction; 
that is, the edges on which the vehicles i and i' are traveling are distinct and have the 
same final vertex. 

proximate(i,i r ), for i,i' £ I,i ^ i', is the subset of VALID that consists of the states in 
which the vehicles i and i' are traveling either in succession as defined by the set 
successive(i,i r ), or on adjacent tracks as defined by the set adjacent(i,i r ). 

remote(i , i') , for i,i' £ I,i ^ i', is the subset of VALID that consists of the states in 
which the vehicles i and i' are traveling neither in succession as defined by the set 
successive(i,i r ), nor on adjacent tracks as defined by the set adjacent(i,i'). 

yield-successive(i, i'), for i,i' £ I,i ^ i', is the subset of successive(i, i') that consists of the 
states in which, in the case of a claim overlap among the vehicles i and i', the vehicle i 
must yield to the vehicle i'. When the vehicles i and i' are traveling in succession, 
the vehicle i must yield to the vehicle i' if the vehicle i is trailing the vehicle i'. The 
vehicle i is said to be trailing the vehicle i' if the location of the vehicle i is strictly 
less than the location of the vehicle i'. 

yield-adjacent(i,i r ), for i,i' £ I,i ^ i', is the subset of adjacent(i,i') that consists of the 
states in which, in the case of a claim overlap among the vehicles i and i', the vehicle i 
must yield to the vehicle i'. When the vehicles i and i' are traveling on adjacent 
incoming tracks, the vehicle i must yield to the vehicle i' if either only the vehicle i' 
owns the upcoming merge point, or the vehicle i' has priority and neither or both 
vehicles own the merge point. 

yield(i,i'), for i,i' £ I,i ^ i', is the subset of VALID that consists of the states in which, 
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Table 8.2 Auxiliary sets for the GRAPH-VEHICLES automaton. 

successive(i, i') C VALID, for i, i' £ I,i ^ i' , defined by 
successive(i, i') = {p £ VALID \ (p.li.e = p.li* .e) 

V (p.li.e.V 'fi na i = p.h'.e.Vinit) 

V (p-h' .e.Vfi„ai = p.k.e.v lnlt )} 

adjacent(i, i') C VALID, for i, i' £ 7, i ^ i', defined by 

adjacent(i, i') = {p £ VALID \ (p.li.e ^ p.k'.e) A (p.li.e.v final = p.h>.e.Vfi na i)} 

proximate(i, i') C VALID, for i, i' £ 7, i ^ i', defined by 
proximate(i, i') = successive(i, i') U adjacent(i, i') 

remote(i, i') C VALID, for i, i' £ 7, i 7^ i', defined by 
remote(i, i') = VALID — proximate(i, i') 

yield-successive(i, i') C VALID, for i, i' £ 7, i 7^ i', defined by 
yield-successive(i, i ) = {p £ successive(i, i ) | p./; < p./;'} 

yield-adjacent(i, i') C VALID, for i, i' £ 7, i 7^ i', defined by 

yield-adjacent(i,i') = {p £ adjacent(i,i') \ ((p.li.e, length(p.li.e)} (fip.Oi 

A (p.li.e, length(p.lii .e)} £ p.Oii) 

V ((p.li.e, length(p.li.e)} £ p.0 8 - 

A (p.li.e, length(p.lii .e)} £ p.0 8 ' 
A priomty(p.li.e) < priority(p.lii.e)) 

V ((p.li.e, length(p.li.e)} ^ p.0 8 - 

A (p.lii .e, length(p.lii .e)} ^ 7>.0 8 ' 

A priomty(p.li.e) < priomty(p.lii .e))} 

yield(i, i') C VALID, for i, i' £ 7, i 7^ i', defined by 

yield(i, i') = yield-successive(i, i') U yield-adjacent(i, i') 



128 



in the case of a claim overlap among the vehicles i and i', the vehicle i must yield to 
the vehicle i' in order to prevent a potential collision between the vehicles i and i'. 

The following lemma describes some properties of the sets defined above. 

Lemma 8.2.1 For all i,i' E I,i ^ i' , the following hold: 

1. VALID = proximate(i, i') U remote(i, i'). 

2. proximate(i , i') n remote(i , i') = 0. 

3. successive(i,i') = yield-successive(i, i') U yield-successive(i',i). 
4- yield-successive(i,i') n yield-successive(i',i) = 0. 

5. adjacent(i,i') = yield-adjacent(i, i') U yield-adjacent(i',i). 

6. yield-adjacent(i, i') n yield-adjacent(i' , i) = 0. 

Proof: We prove each of the conditions separately: 

1. The condition that VALID = proximate(i,i r ) U remote(i , i') , for each i,i' E. I,i ^ i', 
follows from the definition of the sets proximate(i,i r ) and remote(i , i') . 

2. As for the first condition, the condition that proximate(i, i')P\remote(i, i') = 0, for each 
i,i' G I,i j^ i' , follows from the definition of the sets proximate(i, i') and remote(i, i'). 

3. For all i,i' E. I,i ^ i' , the sets yield-successive(i,i') and yield-successive(i',i) are both 
subsets of the set successive(i, i'). Therefore, it suffices to show that any state p in the 
set successive(i,i r ), for some i,i' E I,i j^ i', is either in the set yield-successive(i,i r ), 
or in the set yield-successive(i',i). 

Let the state p be any state in successive(i,i'), for some i,i' E I,i j^ i'. Since 
successive(i,i') C VALID, it is the case that p E VALID. Therefore, the sections 
of the track occupied by the vehicles i and i' do not have a positive length closed 
interval overlap. It follows that it is not possible for their locations to coincide; that 
is, for any p E successive(i, i'), it is the case that p.l{ ^ P-U*. Therefore, regarding the 
ordering of the locations of the vehicles i and i' , there are only two viable cases: 

(a) p.lj < p.l{i. In this case, p E yield-successive(i,i r ). 

(b) p.l{i < p.l{. In this case, p E yield-successive(i',i). 

4. If p E yield-successive(i,i') then it is the case that p.l{ < p./ 8 '. It follows that p g - 
yield-successive(i',i). Similarly, if p E yield-successwe(i',i) then it is the case that 
p.lii < p.l{. It follows that p (jf yield-successive(i,i'). This suffices. 
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5. For all i,i' G I,i j^ i', the sets yield-adjacent(i, i') and yield-adjacent(i',i) are both 
subsets of the set adjacent(i,i'). Therefore, it suffices to show that any state p in the 
set adjacent(i,i r ), for some i,i' G I,i ^ i' , is either in the set yield-adjacent(i,i r ), or 
in the set yield-adjacent(i',i). 

Let the state p be any state in adjacent(i, i'), for some i,i' G I,i ^ i', and without loss 
of generality let the vehicle i' be the vehicle traveling on the incoming edge of greater 
priority, i.e., priority(p.li.e) < priority(p.li'.e). Regarding the ownership of the merge 
point by each of the vehicles, there are four cases: 

(a) (out,0) G p.Oi A (out,0) G p.Oi'. In this case, p G yield-adjacent(i, i') and 
p G - yield-adjacent(i',i). 

(b) (out, 0) G - p.Oi A (out, 0) G - p.Oi'. Similarly to above, p G yield-adjacent(i, i') and 
p G - yield-adjacent(i',i). 

(c) (out,0) G - p.Oi A (out,0) G p.Oi/. In this case, p G yield-adjacent(i, i') and 
p (j£ yield-adjacent(i',i). 

(d) (out,0) G p.Oi A (out,0) G 1 P-Oi>. In this case, p (j£ yield-adjacent(i, i') and 
p G yield-adjacent(i',i). 

6. This condition follows from the analysis in the proof of condition 5. 



8.3 Protection System graph-prot-PAIRjjj/} 

The graph-prot-PAIRj-jj/i automata, for i,i' G I,i j^ i 1 , are vehicle-pair collision protectors 
and guarantee that the vehicles i and i' do not collide into each other, provided that all the 
vehicles are abiding by the speed limit and the vehicles of all other vehicle pairs do not collide 
between themselves. Each of the GRAPH-PROT-PAlRr^n protectors, for i,i' G I,i j^ i', is an 
implementation of the abstract protector of Section 3.2 specialized to particular definitions 
of the parameters PP, S , R, G, j, and d. 

The physical plant automaton, PP, is defined to be the GRAPH-VEHICLES automaton of 
Figure 8.1. The port j and the sampling period d are defined to be the port and sampling 
period with which the protector GRAPH-PROT-PAlRrj^n communicates with the GRAPH- 
VEHICLES automaton. While the port j is assumed arbitrary, the sampling period d is 
restricted to the set (0,d max \, where d max is the maximum protector sampling period pre- 
sented in Section 8.1. The set of "good" states G is defined to be the set of states in which 
the vehicles i and i' have not collided into each other, i.e., G = VALID — P C0 Uided(i,i') ~ 
P co iKded(i',i)- I n this chapter, we use the notation Guy\ to denote the definition of G 
that is specific to the GRAPH-PROT-PAlR/^n protector. The set R is defined to be the 
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set R = Pnot-overspeedf] ( D i" ,i'» e i,i"jti'" ,{i",i'"}jt{i,i'} G {i" ,1'"}) ■ T h is definition restricts the 
states of the GRAPH-VEHICLES automaton to states in which all the vehicles are abid- 
ing by the speed limit and in which the vehicles of all other vehicle pairs {i",i'"}, for 
i",i"' G I,i" 7^ i"',{i",i'"} j^ {i,i'}, have not collided into each other. The set S is defined 
to be the set safe defined in Section 3.2.1; that is, the set of states of the PP automaton 
for which a single input action of PP on port j can guarantee that, provided no new input 
actions on port j are allowed, all subsequently i?-reachable states will be in G. Once again, 
the definition of the set safe is specialized to the above definitions of the automaton PP, 
the sets R and G, and the port j. In this chapter, we use the notation Ruy\ and Su^n to 
refer to the above definitions of the sets R and S. 

The graph-prot-PAIRj-jj/i protector automaton is an implementation of the abstract pro- 
tector automaton ^^(graph-vehicles, Su^n , Ruyx, Gu^x,j, d). More precisely, as is the 
case for the abstract protector Absj, we define the GRAPH-PROT-PAlR/^n automaton to 
be the composition of a sensor and a discrete controller automaton. These automata are 
implementations of their abstract equivalents of Figures 3.2 and 3.3 specialized, however, 
to the above definitions of the parameters PP, S, R, G, j, and d. The sensor automaton is 
precisely the specialization of the sensor automaton of Figure 3.2 to the above definitions 
of the parameters PP, etc. The discrete controller automaton is defined in Figure 8.2. 

The braking strategy of the GRAPH-PROT-PAIR r^n protector is as follows. The protector is 
allowed to brake the vehicles i and i' only if the sections of the track they claim in d time 
units overlap. Given that the vehicles i and i' are indeed involved in such a claim overlap, 
there are two possible scenarios depending on whether the vehicles i and i' are traveling 
in succession, or on adjacent tracks. If the vehicles are traveling in succession, then the 
vehicle i is instructed to brake if it trails the vehicle i'; otherwise, the vehicle i' is instructed 
to brake. On the other hand, if the vehicles i and i' are traveling on adjacent edges, the 
vehicle i is instructed to brake either if only the vehicle i' owns the merge point, or if both 
or neither vehicles own the merge point and the vehicle i' is traveling on the edge of greater 
priority; otherwise, the vehicle i' is instructed to brake. 

It is important to note that the abstract protector automaton ^^(graph-vehicles, Su^x, 
R{i,i'\i Gii t ia,j, d) complies with the assumptions made about the abstract protector in Sec- 
tion 3.2.1. In particular, since the vehicle location variables, the vehicle velocity variables, 
and the collided variables are output variables of the GRAPH-VEHICLES automaton, the set 
safe is Y GRAPH _ V EHicLEs-determinabre and actions that guarantee safety can be determined 
from the output variables of the GRAPH-VEHICLES automaton (Axioms 3.2.4 and 3.2.5, 
respectively). Moreover, the sets Ruy\ and Gu^x are Y GRAPH _ V EHicLEs-determinabre (Ax- 
ioms 3.2.6 and 3.2.7, respectively) and the set of start states Su^n is a subset of the set 
safe (Axiom 3.2.8), since Su^n is defined to be the set safe. 

In Section 3.1 it was shown that the abstract protector Absj guarantees that the physical 
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Figure 8.2 Discrete controller automaton for the protector GRAPH-PROT-PAlRr^-n. 

Actions: Input: e, the environment action (stuttering) 

snapshot(y)j, for each valuation y of F G raph- vehicles 
Output: protect(C)j, for C G V({i,i'}) 
Variables: Internal: sendj G V({i,i'}) U null, initially null 

Discrete Transitions: 

snapshot(y)j 

Eff: if y G - disjoint-claimed-tracks(i, i', d) then 
if y G yield(i, i') then 

sendj := {i} 
else 

sendj := {i'} 
else 

sendj := 

protect(C)j 

Pre: sendj = C 
Eff: sendj := null 

Trajectories: 

w. sendj = null 



plant PP remains within G starting from S given R. Similarly, the GRAPH-PROT-PAlR/^n 
automaton guarantees that the GRAPH-VEHICLES automaton remains within Gu^y starting 
from Suin given Ru^n. This is shown in the following section. 

8.4 Correctness of GRAPH-PROT-PAlR{ i;i /} 

The main result to be shown is that graph-prot-pair.^/} < ^^(graph-vehicles, Syi^y, 
R{i t iiy,G{i t iiy,j,d). Since both graph-prot-pair^^/} and ^^(graph-vehicles, Sy i:i iy, 
R{i,i'}-> G{i : i'y,j, d) involve the composition of the same sensor automaton with distinct dis- 
crete controller automata, Theorem 2.7.4 applies. Therefore, it suffices to show that the 
discrete controller automaton of the protector GRAPH-PROT-PAlR/^n of Figure 8.2 imple- 
ments the discrete controller automaton I?C(graph-vehicles, Su^x, Ru^x, Gu^x, j, d) of 
Figure 3.3. From Theorem 2.6.1, this follows by showing that there exists a simulation 
relation between the states of the discrete controller automaton of GRAPH-PROT-PAlR/^n 
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Table 8.3 Sets used in the correctness proof of GRAPH-PROT-PAlR^-y}. 

W {i)i , } C VALID, for i, i' El,i^ i' , defined by 

MA-j-j'/T. = R{i t iiy fl G{i t iiy fl disjoint-owned-tracks(i,i') 

B{i,i'} Q VALID, for i, i' E I,i ^ i' , denned by 
B {iy} = W {iy} n P Bii n P B .,. 

v (i,i') Q VALID, for i, i' E I,i ^ i' , defined by 

v (i,i r ) = {P £ W{«,i'} l~l P Bii | (p E successive(i, i') Ap.k < p.k>) 

V(p£ adjacent(i, i') Ap.Oi C [p. /;, (p.li.e, length(p.li .e)}])} 

%,;<} C VALID, for i, i' E I,i ^ i' , defined by 

V{i,i'} = ^(MO U V(i',i) 

T{i,i'}(t) Q VALID, for i, i' El,i^ i' , and t E M^°, defined by 
T{i,i'}(t) = -R{i,i'} H G{iiij n disjoint-claimed-tracks(i, i' ,t) 



and the discrete controller automaton I?C(graph-vehicles, Su^n, Ru^x, Gu^n, j, d). We 
first give some set definitions, then prove some lemmas, and finally show the existence of 
such a simulation relation. 

In this section, we use the notation future n 8 -n, safes an, very-safe tan, and delay-safes j ji\ 
to denote the specialization of the function future, the sets safe and very-safe, and the 
function delay-safe, which are defined in Section 3.2.1, to the automaton GRAPH-VEHICLES, 
the sets Ru^x and Gu^n, and the the port j of the GRAPH-PROT-PAlR/^n protector. 
Moreover, since the environment action of the GRAPH-VEHICLES automaton is stuttering, 
its consideration is omitted in all inductive proofs involving the PP automaton. 

We proceed by defining several sets that are used in the correctness proof of the protector 
graph-prot-PAIRj-jj/i. For reference, their formal definitions appear in Table 8.3. 

Let W/j j/i be the subset of i2r,--n fl GV--n comprised of the states in which the section of the 
track owned by the vehicle i does not overlap the section of track owned by the vehicle i'; 
that is, Wuyx = Ruyx fl Gu^n fl disjoint- owned-tracks(i , i') . 

Let Bu^rx be the subset of of Wu^n comprised of the states in which the vehicles i and i' 
are both being instructed to brake by the protector j; that is, Bu^rx = Wu^n fl Pg 8 fl Pg , ■ 
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Let Vjvj-/) be the subset of Wuy\ comprised of the states in which the vehicle i is being 
instructed to brake by the protector j and either the vehicles i and i' are traveling in 
succession and /,- < /,/, i.e., the vehicle i is trailing the vehicle i' , or the vehicles i and i' 
are adjacent and the section of the track owned by the vehicle i is entirely upstream of the 
merge point (out,0). Moreover, let Vu^n be defined as Vu^\ = Vu^ix U Vui^y 

Let Tu^n{t), where t G K-°, be the subset of Ru^x C\ Gu^x comprised of the states in 
which the section of the track claimed in time t by the vehicle i does not overlap the 
section of the track claimed in time t by the vehicle i'; that is, Tu^n(t) = Ruyx fl Gu^x P\ 
disjoint-claimed-tracks(i, i', t). 

The following lemma defines the relation among the sets Gu^x, Wu^x, Bu^n, Vu^x, and 
T w , } (t), for teR*°. 

Lemma 8.4.1 For all t,t' G R-°, t < t' , the following hold: 

2- V{i,i'} C W{iji\ C G{iji\. 

3- B{i,i'} ^ w {i,i'} ^ <-*{;,;'}• 

4- r {i,i'}(*') ^ r {i,i'}(*)- 

5. r {8 ,, } (0) = ^ {8/} . 

Proof: Follow directly from the definitions of the sets Wu^ix, Bu^n, Vu^ix, and Tu^ix^t), 
where r G K-°, and Lemma 4.4.2. I 

In the next two lemmas, we show that any state p in the set Bu^rx is in the set very-safe^ 8 n ; 
that is, any state .Rr,- -n-reachable from p through an execution fragment that involves no 
input actions on port j, is in the set Gu^n. In the first lemma, we show that any state that 
is i?rjj/-|-reachable from p through an execution fragment that involves no input actions on 
port j, is in the set Wu^n. In the second lemma, we show that Bu^rx C very-safe r i 8 -n. 

Lemma 8.4.2 future {iji , } (B {iii , } ,R^ ) C W {h ,, } . 

Proof: Let a be an execution fragment of the GRAPH-VEHICLES automaton of n steps and 
trajectories, where n G N, that: starts in a state in Bu^n, is only comprised of states in 
Rujix, and involves no input actions on port j. Let Pi n a and Pfi na i be the initial and final 
states of a, respectively. By induction on the length n of the execution fragment a, we 
show that p fina i G W{ i}i ,\. 

For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and, therefore, Pfi na i = Pinit- 
Since Pi n a G Bu^n, Lemma 8.4.1, part 3, implies that Pfi na i G Wu^\. 
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The inductive step involves showing that if a is an execution fragment of length n = k + 1, for 
some k G N, then Pfi na i G Wu^n. Let a' be the part of the execution fragment a comprised 
of the first k steps and trajectories. The induction hypothesis involves the assertion that if 
P'final 1S the final state of a' , then it is the case that p'c na i G Wu^n. Since the final state 
of a is reached from the final state of a 1 by a single step, the inductive step involves the 
consideration of all possible steps and trajectories leading from p'g na j to Pfi na i- 

In the case of a step, we consider all possible discrete actions by cases: 

1. the actions protect(C)j, for C G V({i,i'}), are not enabled because a involves no 
input actions on port j. 

2. the brick-wall(i) action sets the velocity of the vehicle i to zero and affects neither 
the velocity of the vehicle i', nor the collided(i , i') and colUded(i',i) variables. 

From the induction hypothesis, it is the case that p'g na j G JLj;,;'} C Gu^n. There- 
fore, since the brick-wall(i) action does not affect the collided(i , i') and colUded(i',i) 
variables, it follows that Pfi na i G Gu^x. 

Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinal-ii < P'final-^i- Moreover, since the brick-wall(i) action does not affect the veloc- 
ity of the vehicle i' , it is the case that Pfi na i-Xi> = p'fi na i-^i'- From Lemma 4.4.3, part 1, 
it follows that p fina i.O t C p' fina ,.O t and p fina i.Oi> C p' final .Oi>. Therefore, since p' find G 
JLji,;'} ^ disjoint-owned-tracks(i, i'), it follows that Pfi na i G disjoint-owned-tracks(i,i r ). 

Finally, since all states in a are, by definition, restricted to the set Ru^n, it follows 
that p fina i G W{ hl ry 

3. the brick-wall(i') action sets the velocity of the vehicle i' to zero and affects neither 
the velocity of the vehicle i, nor the collided(i , i') and colUded(i',i) variables. 

From the induction hypothesis, it is the case that p'e na i G Wuy\ C Guy\. Therefore, 
since the brick-wall(i') action does not affect the collided(i , i') and colUded(i',i) 
variables, it follows that Pfi na i G Gu^n. 

Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinal-ii' < v'final-^i'- Moreover, since the brick-wall(i') action does not affect the ve- 
locity of the vehicle i, it is the case that Pfi na i-Zi = p'fi na i-^i- From Lemma 4.4.3, part 1, 
it follows that p fina i.O,, C p' final .O,, and p fina i.O t C p' fina ,.O t . Therefore, since p' final G 
Wuyx C disjoint-owned-tracks(i, i'), it follows that Pfi na i G disjoint-owned-tracks(i,i'). 

Finally, since all states in a are, by definition, restricted to the set Ru^n, it follows 
that p fina i G W{ hl ry 

4. the actions protect(C)j/, for C G V{T) and j' G J,j' j^ j, brick-wall(i"), for 
i" £ I — {i,i'}, and reset-location(i'"), for i"' G /, affect neither the velocities of 
the vehicles i and i', nor the collided(i , i') and colUded(i',i) variables. 
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From the induction hypothesis, it is the case that p'g na j G Wuy\ C Guy\. Therefore, 
since the actions protect(C)j/, for C G V(I) and j' G J,j' j^ j, brick-wall(i"), for 
i" £ I — {i,i'}, and reset-location(i'"), for i'" G I, do not affect the collided(i , i') 
and colUded(i',i) variables, it follows that Pfi na i G Gu^n. 

Moreover, since the input actions protect(C)j/, for C G V(I) and j' G J,j' j^ j, and 
the internal actions brick-wall(i"), for i" £ I — {i,i'}, and reset-location(i'"), 
for i"' G I, do not affect the velocities of the vehicles i and i', it is the case that 

Pfinal-Xi = Pfi na l-Xi an( i Pfinal-Xi' = Pfinal^i' ■ Fr0111 Lemma 4.4.3, part 1, it follows 

that pfi na i.Oi C p' final .Oi and p fina i.O,, C p' final .O,,. Therefore, since p' final G W {ht ,x C 
disjoint-owned-tracks(i,i'), it is the case that Pfi na i G disjoint-owned-tracks(i,i'). 

Finally, since all states in a are, by definition, restricted to the set Ru^n, it follows 
that p fina i G W{ hl ry 

5. the internal actions colliding-pair(i", i'"), for i",i"' G I,i" j^ V" , and the inter- 
nal actions collision-eff ects(i""), for i"" G I, are not enabled because a is only 
comprised of states in Ruy\ and p'g na j G Wu^n. 

Since, p init G £( 8j8 <) C P Bi] n Pb. 7j . and the execution fragment leading from p !Mi to p' final 
involves no input actions on port j, it follows that p'g na j G Pg r fl Pb , ■ Therefore, in the 
case of a trajectory from p' final to p^ na ;, Lemma 4.4.4, part 1, implies that Pfi na i-O t C p' fina ,.0 t 
and Pfi n ai-Oi> C p'fi na j-Oii. Therefore, since p'^/ G W|i,i'} C disjoint-owned-tracks(i,i'), it 
follows that p/^a/ G disjoint-owned-tracks(i,i r ). Moreover, since p'^/ G W/^j-zi C Gr^n and 
the variables coUided(i,i r ) and colUded(i',i) remain constant throughout the trajectory, it 
follows that Pfinai G Gujix. Finally, since all states in a are, by definition, restricted to the 
set Rujix, it follows that Pfi na i G Wu^n, as needed. I 

Lemma 8.4.3 Bu^rx C very-safe r i 8 -n. 

Proof: Follows directly from Lemma 8.4.2, Lemma 8.4.1, part 3, and the definition of 
very-safe in Section 3.2.1. I 

In the next three lemmas and the subsequent corollary, we show that the sets Wr^n and 
sa f e {ii'} are equal. First, we show that any state that is i^yi-reachable from a state p in 
Wuyx through an execution fragment that involves no input actions on port j and has a 
limit time equal to zero, is in the set Wujix. Then, we show that W/, j-n C safer i ,-n and 
sa f e {i,i'} ^ Wuyx. Finally, the subsequent corollary states that Wuy\ = safeu^n. 

Lemma 8.4.4 future {i jx(W{ iti >\,$) C W {ht , } . 

Proof: Let a be an execution fragment of the GRAPH-VEHICLES automaton of n steps, 
where n G N, that: starts in a state in Wu^n, is only comprised of states in Ru^n, involves 
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no input actions on port j, and has a limit time equal to zero. Let Pi n a and Pfi na i be the 
initial and final states of a, respectively. By induction on the length n of the execution 
fragment a, we show that Pfi na i G Wujix. 

For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of no steps and, therefore, Pfi na i = Pinit- Since Pi n a G Wu^x, 
it follows that p fina i G W^^x. 

The inductive step involves showing that if a is an execution fragment of length n = k + 1, for 
some k G N, then Pfi na i G Wu^n. Let a' be the part of the execution fragment a comprised 
of the first k steps. The induction hypothesis involves the assertion that if p't ina i is the final 
state of a' , then it is the case that p'c na i G Wuy\. Since the final state of a is reached from 
the final state of a 1 by a single step, the inductive step involves the consideration of all 
possible steps leading from p' final to p fina i. 

To complete the induction, we consider all possible discrete actions by cases: 

1. the actions protect(C)j, for C G V({i,i'}), are not enabled because a involves no 
input actions on port j. 

2. the brick-wall(i) action sets the velocity of the vehicle i to zero and affects neither 
the velocity of the vehicle i', nor the collided(i , i') and colUded(i',i) variables. 

From the induction hypothesis, it is the case that p'g na j G Wu^n C Gu^x. There- 
fore, since the brick-wall(i) action does not affect the collided(i , i') and colUded(i',i) 
variables, it follows that Pfi na i G Gu^x. 

Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinal-ii < v'final-^i- Moreover, since the brick-wall(i) action does not affect the veloc- 
ity of the vehicle i' , it is the case that Pfi na i-Zi' = Pgnai-^i'- From Lemma 4.4.3, part 1, 
it follows that p fina i.O t C p' final .O t and p fina i.O t > C p' final .Oi>. Therefore, since p' final G 
Wuyx C disjoint-owned-tracks(i, i'), it follows that Pfi na i G disjoint-owned-tracks(i,i'). 

Finally, since all states in a are, by definition, restricted to the set Ru^n, it follows 
that p fina i G W{ hl ry 

3. the brick-wall(i') action sets the velocity of the vehicle i' to zero and affects neither 
the velocity of the vehicle i, nor the collided(i , i') and colUded(i',i) variables. 

From the induction hypothesis, it is the case that p'c na i G Wji «•'} C Guyx. Therefore, 
since the brick-wall(i') action does not affect the collided(i , i') and colUded(i',i) 
variables, it follows that Pfi na i G Gu^n. 

Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinal-ii' < P'final-^ i'- Moreover, since the brick-wall(i') action does not affect the ve- 
locity of the vehicle i, it is the case that Pfi na i-Zi = p'a na i-^i- From Lemma 4.4.3, part 1, 
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it follows that p fina i.O t > C p' final .Oi> and p fina i.O t C p' fina ,.O t . Therefore, since p' find G 
^{i,i'} — disjoint-owned-tracks(i, i'), it follows that Pfi na i G disjoint-owned-tracks(i,i'). 

Finally, since all states in a are, by definition, restricted to the set Ru^n, it follows 
that p fina i G W^-/}. 

4. the actions protect(C)j/, for C G V(I) and j' G J,j' 7= j, brick-wall(i"), for 
i" £ I — {i,i'}, and reset-location(i'"), for i"' G I, affect neither the velocities of 
the vehicles i and i', nor the collided(i , i') and collided(i',i) variables. 

From the induction hypothesis, it is the case that p'g na j G Wu^x C Gr^n. Therefore, 
since the actions protect(C)j/, for C G V(I) and j' G </, j' 7= J, brick-wall(i"), for 
i" £ I — {i,i'}, and reset-location(i'"), for i'" G i", do not affect the collided(i , i') 
and collided(i',i) variables, it follows that Pfi na i G Gu^n. 

Moreover, since the input actions protect(C)j/, for C G V(I) and j 1 G J,j' 7= J, and 
the internal actions brick-wall(i"), for i" £ I — {i,i'}, and reset-location(i'"), 
for i"' G I, do not affect the velocities of the vehicles i and i', it is the case that 
Pfinal-ii = Pfi na i-Xi an( i Pfinal-Xi' = p'fi na i- x t'- From Lemma 4.4.3, part 1, it follows 
that pfi na i.Oi C p' final .Oi and p fina i.Oi> C p' final .Oi>. Therefore, since p' final G Wy hl ,y C 
disjoint-owned-tracks(i,i r ), it is the case that Pfi na i G disjoint-owned-tracks(i,i r ). 

Finally, since all states in a are, by definition, restricted to the set Ru^n, it follows 
that p fina i G W{ hl ry. 

5. the internal actions colliding-pair(i", i'"), for i",i'" G I,i" 7= i'" , and the inter- 
nal actions collision-eff ects(i""), for i"" G I, are not enabled because a is only 
comprised of states in Ruyy and p'g na j G Wu^y. 



Lemma 8.4.5 Wu^x C safei—n. 

Proof: From the definition of safe in Section 3.2.1, we must show that any state p G JLj;,;'} 
satisfies: (i) future 1 i 8 -n(p, 0) C Gu^x, and (ii) there exists some input action it on port j 
such that for every p',p" G Ru^y satisfying p' G future u i'\(p, 0) and p' -^ p" , it is the case 
that p" G very-safes j ji\. 

(i) Since p G Wuyy, the first condition follows from Lemma 8.4.4 and Lemma 8.4.1, part 1. 

(ii) For the second condition, let it be the action protect({i, i'})j. 

From Lemma 8.4.4, it follows that p' G Wu^x. Now, considering the step from p' to p" , since 
the protect({i, i'})j action affects neither the velocity of any of the vehicles, nor any of the 
collided variables, it follows that p" G Ru^ry, p" G Gu^x, p 1 ' '.i; = p'.ii, and p" .X{i = p 1 '.x^. 
Therefore, Lemma 4.4.3, part 1, implies that p" .0{ C p'.Oi and p".Oi' C p'.Oi'. Since 
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p' G Wujix, it follows that p" G disjoint-owned-tracks(i,i'). From the above conditions, it 
follows that p" G W{i^}. 

Moreover, since the protect({i, i'})j action sets the internal variables brake-req(i,j) and 
brake-req(i' , j) to True, it is the case that p" G Pb % H Pb , • Since p" G Wu^x, it follows 
that p" G -B{i,i'}- 

Finally, Lemma 8.4.3 implies that p" G very-safer i ir x, as needed. I 

Lemma 8.4.6 For any p G Ru^n, if p G safen ,-n £/ien p G W/j-yi . 

Proof: We show the contrapositive; that is, for any p G Ru^n, if p G - Wu^n then p G - 
safer —ii. Since W/j-yi = Ru^x H Gk;'} PI disjoint-owned-tracks(i, i') and p G Ru^ix, we 
consider the conditions p G - G{i,i>\ an d P ^ disjoint-owned-tracks(i, i') separately. 

1- P ^ G{i,i'}- 

From Lemma 3.2.4, part 1, it is the case that safer ^ ^x C Guy\. Since p G - Gr,^'}, it 
follows that p G - safer i 8 -n . 

2. p G - disjoint-owned-tracks(i,i r ). 

We must show that p G - safer —ix. In order for the state p G -R{ 8j8 '} to be in the 
set safer i 8 -n there must exist some input action it on port j such that for every 
p',p" G R{i,i'X satisfying p' G future^ 8 -n(p, 0) and p' -^ p" , it is the case that p" G 
very-safer i ir x. Therefore, it suffices to show that for any input action it on port j, 
there exist p',p" G Ru^'X satisfying p' G /uterer,- -/-i(p, 0) and p'-^+p", such that 
p" G - very-safe {iii , } . 

Using similar analyses to those presented in the proofs of Lemmas 6.2.9 and 7.4.10, 
it can be shown that for any p G Ru^x and any input action it on port j, there 
exist p',p" G Rui'x satisfying p' G future^ 8 -n(p, 0) and p'^^p", such that p" G - 
very-safer i ^x. It follows that p G - safer —ix, as needed. 



Corollary 8.4.7 W^-y} = safety. 

Proof: Follows directly from Lemmas 8.4.5 and 8.4.6. I 

In the following three lemmas, we show that any state i^^n-reachable from a state in Vu^ix 
through an execution fragment that involves no input actions on port j and has a limit time 
that lies in the interval [0, d max ], is in the set Wujix. In the first lemma, we show that if the 
final state of such an execution fragment is in Guy\ and the section of track owned by the 
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vehicle i has not grown since the beginning of the execution fragment, then the final state 
of the execution fragment is in Wuy\. In the second lemma, we show that the final state 
of any such execution fragment is in Gu^n and the section of track owned by the vehicle 
i does not grow throughout the execution fragment. The third lemma states the desired 
property which follows directly from the first two lemmas. 

Lemma 8.4.8 Let p £ V(i,i') and p' £ futuresjji\(p,[Q,d max \). If p' £ Guyx and p'.Oi C 
p.Oi, then p' £ W{i^. 

Proof: We need to show that p' £ Wu^n ; that is, we need to show that the state p' is in the 
set -R/j- j-/i fl Gujix fl disjoint- owned-tracks(i, i'). Since p' £ Gu^n , by assumption, it remains 
to be shown that p' £ Ruy\ and p' £ disjoint- owned-tracks(i,i'). We consider these two 
conditions by cases: 

!• P' £ R{i,i'}- 

This is the case because the function future u 8 -n(p, K-°) only considers Ru^x -reachable 
states. 

2. p' £ disjoint- owned-tracks{i,i'). 

Since p £ Vjvj-/), there are two possible scenarios: (i) p £ successive(i,i') and p./ 8 - < 
p.li', (ii) p £ adjacent(i,i') and p.O; C [p./;, (p./ 8 .e, length(p.li.e))]. 

In the first case, it is as if the vehicle i is trailing the vehicle i' on a single track. Since 
P ^ V(i,i') — Wuyx, the sections of the track owned by the vehicles i and i' in state 
p are disjoint. Now, consider the section of track owned by the vehicle i in the state 
p'. Since p'.Oi C p.0 8 -, it follows that p.li = mm(p.Oi) < p' .li = mm(p'.Oi) and there 
exist locations in p.Oi that are at least as downstream as any of the locations in p' .Oi. 
Next, consider the section of track owned by the vehicle i' in the state p' . Because 
of the non-negative constraint on the vehicle velocities it follows that the location 
p'./j/ = min(p'.Oj-/) is either equal to, or downstream of the location p.lji = min(p.0 8 /). 
Moreover, the sections of track owned by the vehicle i' in state p' could only range 
from the location p' .li> up to the locations that are a distance Ax max downstream 
from the location p.li'. Therefore, because of the constraint on the length of the edges 
in the track topology and the constraint on the minimum number of edges comprising 
a cycle in the track topology, it follows that p' £ disjoint-owned-tracks(i,i'). 

In the second case, since p.Oi C [p.li, {p.li- e, length(p.li.e))], the section of the track 
owned by the vehicle i in state p is strictly within the incoming directed edge p.l^.e. 
Since p' .Oi C p.Oi, the same is true for the section of track owned by the vehicle i 
in state p' . Similarly to above, because of the non-negative constraint on the vehicle 
velocities it follows that the location p' .1^ = min(p'.0 8 /) is either equal to, or down- 
stream of the location p.lji = min(p.0 8 /). Moreover, the sections of track owned by 
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the vehicle i' in state p' could only range from the location p' .\{i up to the locations 
that are a distance Ax max downstream from the location p./ 8 '. Therefore, because 
of the constraint on the length of the edges in the track topology, the constraint on 
the minimum number of edges comprising a cycle in the track topology, the fact that 
the vehicles are traveling on adjacent tracks in state p, and the fact that the section 
of track owned by the vehicle i remains within the incoming branch, it follows that 
p' £ disjoint-owned-tracks(i,i'). 



Lemma 8.4.9 If p £ V<i,i') and p' £ future^ 8 -n(p, [0, d max \), then it is the case that p' £ 
G{i,i'} and p'.Oi C p.O{. 

Proof: Let a be an execution fragment of the GRAPH-VEHICLES automaton of n steps and 
trajectories, where n £ N, that: starts in a state in Vu^\, is only comprised of states in 
Rujix, involves no input actions on port j, and has a limit time that lies in the interval 
[0,d ma J. Letting Pi n a and Pfi na i be the initial and final states of a, respectively, we must 
show that Pfi n ai £ Gujix and Pfi na i-Oi C Pi n a.Oi. The proof is by induction on the length n 
of the execution fragment a. 

For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and, therefore, Pfi na i = Pinit- 
From Lemma 8.4.1, part 2, and the fact that Pi n a £ V^^n C Vu^ix, it follows that Pfi na i £ 
Gu^n. Moreover, the fact that Pfi na i-Oi C Pi n a.Oi is trivially true. 

The inductive step involves showing that if a is an execution fragment of length n = k + 1, for 
some k £ N, then Pfi na i £ Gi^n and Pfi na i-Oi C Pi n a.Oi. Let a' be the part of the execution 
fragment a comprised of the first k steps and trajectories. The induction hypothesis involves 
the assertion that if p[ nit and p't ina i are the initial and final states of a', respectively, then 
it is the case that p'c na i £ Guy\ and p'fi na i-Oi C p' init .Oi. Moreover, from Lemma 8.4.8 it 
follows that p'e na i £ Wuyx. Since the final state of a is reached from the final state of a 1 
by a single step or trajectory, the inductive step involves the consideration of all possible 
steps and trajectories leading from p'c na i to Pfi na i- 

In the case of a step, we consider all possible actions by cases: 

1. the actions protect(C)j, for C £ V({i,i'}), are not enabled because a involves no 
input actions on port j. 

2. the brick-wall(i) action sets the velocity of the vehicle i to zero and does not affect 
the collided(i , i') and coUided(i',i) variables. 

From the induction hypothesis, it is the case that p'c na i £ Guy\- Therefore, since the 
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brick-wall(i) action does not affect the collided(i , i') and colUded(i',i) variabies, it 
foiiows that p fina i G G{ iyi i\. 

Moreover, since the vehicie veiocities are restricted to be non-negative, it is the case 
that pfinai.ii < p' final .Xi. From Lemma 4.4.3, part f , it foiiows that Pfi na i-O t C p final .O t . 
However, from the induction hypothesis it is the case that p'fi na \-Oi C p' init .Oi. There- 
fore, since p init = p' init , it follows that Pfi na i-O t C p tmt .O t , as needed. 

3. the actions protect(C)j/, for C G V(I) and j' G J,j' 7= j, brick-wall(i"), for 
i" G I,i" 7= i, and reset-location(i'"), for i'" G I, affect neither the velocity of the 
vehicle i, nor the collided(i , i') and colUded(i',i) variables. 

From the induction hypothesis, it is the case that p'g na j G Gu^x. Therefore, since 
the actions protect(C)j/, for C G V(I) and j 1 G J,j' 7= j, brick-wall(i"), for 
i" G I,i" 7^ i, and reset-location(i'"), for i"' G I, do not affect the collided(i , i') 
and colUded(i',i) variables, it follows that Pfi na i G Gu^x. 

Moreover, since the input actions protect(C)j/, for C G V(I) and j' G J,j' j^ j, and 
the internal actions brick-wall(i"), for i" G I,i" j^ i and reset-location(i'"), for 
i'" G I, do not affect the velocity of the vehicle i, it is the case that Pfi na i-Zi = v'ti na \- x i- 
From Lemma 4.4.3, part 1, it follows that Pfi na i-Oi C p'g na j-Oi. However, from the 
induction hypothesis it is the case that p'g na j-Oi C p' init .Oi. Therefore, since Pi n a = 
P'iniv i1: fo ll ows that Pfi na i-O t C p tmt .O t , as needed. 

4. the internal actions colliding-pair(i", i'"), for i",i'" G I,i" j^ i'" , and the inter- 
nal actions collision-eff ects(i""), for i"" G I, are not enabled because a is only 
comprised of states in Ruy\ and p'fi na i G Wu^n. 

Since p' init G V^^n C Pb, and the execution fragment leading from p' init to p'g na j involves no 
input actions on port j, it follows that p'g na j G Pb % ■ Therefore, in the case of a trajectory 
from p' final to pfinah Lemma 4.4.4, part 1, implies that Pfi na i-O t C p final .O t . However, from 
the induction hypothesis it is the case that p'g na j-Oi C p' init .Oi. Since Pi n a = p' K!i , it follows 
that Pfi n ai-Oi C Pinit-Oi. Moreover, since p'^/ G Gu^n and the variables collided(i , i') and 
colUded(i',i) remain constant throughout the trajectory, it follows that Pfi na i G <j/,- -n, as 
needed. I 

Lemma 8.4.10 /utere^y-^V^/), [0, d max \) C W^-/}. 

Proof: Follows directly from Lemmas 8.4.8 and 8.4.9. I 

In the following lemma, we extend the result of Lemma 8.4.10 to the set Vuy\. 

Lemma 8.4.11 future {ht ,x(V{ hl ,x , [0 , d max \) C W{ hl ,x. 
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Proof: Follows directly from Lemma 8.4.10 and the fact that Vuy\ = Vjv 8 -n U Vy^y I 

The following lemma states that any state p in the set Vy^n is in the set delay-safey ji\(d); 
that is, any state i^^n-reachable from p within an amount of time d through an execution 
fragment that involves no input actions on port j, is in the set Gy^rx and any state Ry^x- 
reachable from p in exactly an amount of time d through an execution fragment that involves 
no input actions on port j, is in the set safes an. 

Lemma 8.4.12 Vy^n C delay-safey i'x(d). 

Proof: Follows from Lemma 3.2.4, part 1, Lemma 8.4.11, Corollary 8.4.7, and the fact that 
a \ a max . ■ 

In the next few lemmas, we show that any state p in the set Ty^ix(t), for any t £ K-°, is 
in the set delay-safey ^{t)] that is, any state i^yi-reachable from p within an amount of 
time t through an execution fragment that involves no input actions on port j, is in the 
set Gy^rx and any state i^^n-reachable from p in exactly an amount of time t through an 
execution fragment that involves no input actions on port j, is in the set safey 8 -n. 

Lemma 8.4.13 Letp £ Ty^n(T), where t £ R.- , and p' £ futurey 8 -n(p, i), where t £ [0,r]. 
If p' £ Gy }t ,y p'.Ci(r - t) C p.C t (T), and p'.C,,(t - t) C p.CV(r), then p' £ T {u ,x(t - t). 

Proof: We need to show that p' £ Ry^n n Gy^rx n disjoint-claimed-tracks(i,i',T — t). 
Since p' £ Gy^y by assumption, it remains to be shown that p' £ Ry^n and p' £ 
disjoint-claimed-tracks(i,i',T — t). We consider these two conditions by cases: 

i- p' e R{i,i'}- 

This is the case because the function futurey ^(p^t) only considers i^^n-reachable 
states. 

2. p' £ disjoint-claimed-tracks(i,i',T — t). 

Since p £ Tr,- -;i(r), it is the case that p £ disjoint-claimed-tracks(i,i',T). There- 
fore, since p'.Ci(r — t) C p.Ci(r) and p' .G{i(t — t) C p.C 8 /(r), it follows that p' £ 
disjoint-claimed-tracks(i,i',T — t), as needed. 



Lemma 8.4.14 For all p £ Tsjji\(t), where t £ M- , and p' £ futures— n(p,t), where 
t £ [0, r], it is the case that p' £ Gy^rx, p' .Ci(r — t) C p.C 8 '(r), and p' .G{i(t — t) C p.C 8 /(r). 
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Proof: Let r G M- and a be an execution fragment of the GRAPH-VEHICLES automaton of 
n steps and trajectories, where n G N, that: starts in a state in Tu^ix^t), is only comprised 
of states in Ruyx, involves no input actions on port j, and has a limit time t that lies in 
the interval [0, r]. Letting Pinit and Pfi na i be the initial and final states of a, respectively, we 
must show that p fina i G G{ iti ,y,p fina i.Ci(T-t) C p m!i .C 8 (r), andp^ a ;.CV(r-i) C p m!i .CV(r). 
The proof is by induction on the length n of the execution fragment a. 

For the base case, consider the execution fragment a of length n = 0; that is, a is an 
execution fragment that consists of a single point trajectory and, therefore, Pfi na i = Pinit 
and a.ltime = 0, i.e., t = 0. From Lemma 8.4.1, part 1, and the fact that Pinit G TY^/t^t), it 
follows that Pfinai G Gj-jj/i. Moreover, since t = 0, the facts that Pfi na i-Ci(T — t) C Pi n it.Ci(T) 
and Pfi na i.Cii(T - t) C p m!i .C 8 /(r) are trivially true. 

The inductive step involves showing that if a is an execution fragment of length n = k + 1, 
for some A; G N, with a.ltime = t, where t G [0,r], then Pfi na i G Gu^x, Pfi n al-Ci(T — t) C 
Pinit-Ci(T), and Pfinal-Ci'(T — t) C p i n it.C v (t) . Let a' be the part of the execution fragment 
a comprised of the first A; steps and trajectories and let a' .Itime = t' , where t' G [0,i]. The 
induction hypothesis involves the assertion that if p[ nit and p't ina i are the initial and final 
states of a', respectively, then it is the case that p'e na i G Gu^x, p'a na i-Ci(T — t') C p' K!i .C 8 (r), 
and p'fi na i-Ci'(T — t') C p'- nir Cj-/(r). Moreover, from Lemma 8.4.13 it follows that p'c na i G 
^{iji'jC 7 " — t')- Since the final state of a is reached from the final state of a' by a single 
step or trajectory, the inductive step involves the consideration of all possible steps and 
trajectories leading from p' final to Pfi na \. 

In the case of a step, keeping in mind that the limit times of a 1 and a are equal, i.e., t' = t, 
we consider all possible discrete actions by cases: 

1. the actions protect(C)j, for C G V({i,i'}), are not enabled because a involves no 
input actions on port j. 

2. the brick-wall(i) action sets the velocity of the vehicle i to zero and affects neither 
the velocity of the vehicle i', nor the collided(i , i') and coUided(i',i) variables. 

From the induction hypothesis, it is the case that p'c na i G Guy\. Therefore, since the 
brick-wall(i) action does not affect the collided(i , i') and coUided(i',i) variables, it 

follows that p fi na l G G{ hl ,x. 

Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinal-ii < P'final-^i- Moreover, since the brick-wall(i) action does not affect the veloc- 
ity of the vehicle i' , it is the case that Pfi na l-ii' = P'anal-^i'- From Lemma 4.4.3, part 2, 
it follows that p fi nal-C t (T - t) C p' final .C t (T - t') and Pfi na i-Ci>(T - t) C p' final .Ci>(T - t'). 
However, from the induction hypothesis it is the case that p'fi na i-Ci(T — t') C p' K!i .C 8 (r) 
and Pfinal- C t'( T ~ t') ^ p'- m - f .CV(r). Therefore, since p init = p' init , it follows that 
Pfinal-C t (r - t) C p mi fC t (T) and Pfi na i-Ci>(T - t) C p m!i .C 8 /(r), as needed. 
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3. the brick-wall(i') action sets the velocity of the vehicle i' to zero and affects neither 
the velocity of the vehicle i, nor the collided(i , i') and colUded(i',i) variables. 

From the induction hypothesis, it is the case that p'g na j G Gu^n. Therefore, since the 
brick-wall(i') action does not affect the coUided(i,i r ) and colUded(i',i) variables, it 
follows that p fina i G G'{ 8i8 '}. 

Since the vehicle velocities are restricted to be non-negative, it is the case that 
Pfinal-ii' < v'final-^i'- Moreover, since the brick-wall(i') action does not affect the ve- 
locity of the vehicle i, it is the case that Pfi na i-ii = p'fi na i-Xi- From Lemma 4.4.3, part 2, 
it follows that Pfi na i.C t (T - t) C p final .C t (T - t') and Pfi na i-Ci>(T - t) C p' final .Ci>(T - t'). 
However, from the induction hypothesis it is the case that p'fi na i-Ci(T — t') C p' K!i .C 8 (r) 
and P'final- C ^( T ~ t ') ^ P'inirCi'( T )- Therefore, since p init = p' miV it follows that 
Pfinal-Ci(r - t) C p mi fC t (T) and p/^ a /.C 8 /(r - t) C p m!i .C 8 /(r), as needed. 

4. the actions protect(C)j/, for C G V(I) and j' G J,j' j^ j, brick-wall(i"), for 
i" £ I — {i,i'}, and reset-location(i'"), for i"' G /, affect neither the velocities of 
the vehicles i and i', nor the coUided(i,i r ) and colUded(i',i) variables. 

From the induction hypothesis, it is the case that p'g na j G Gu^n. Therefore, since 
the actions protect(C)j/, for C G V(I) and j' G J,j' j^ j, brick-wall(i"), for 
i" £ I — {i,i'}, and reset-location(i'"), for i'" G /, do not affect the collided(i , i') 
and colUded(i',i) variables, it follows that Pfi na i G Gu^rx. 

Moreover, since the input actions protect(C)j', for C G V(I) and j 1 G J,j' j^ j, and 
the internal actions brick-wall(i"), for i" £ I — {i,i'}, and reset-location(i'"), 
for i"' G /, do not affect the velocities of the vehicles i and i', it is the case that 

Pfinal-Xi = P'fi na l- X i an( i Pfinal-Xi' = P'final^i' ■ Fr0111 Lemma 4.4.3, part 2, it follows that 

Pfinal-Ci(r - t) C p' final .C t (T - t') and Pfi na i-Ci>(T - t) C p' final .Ci>(T - t'). However, 
from the induction hypothesis it is the case that p'fi na \-Ci(T — t') C p' K!i .C 8 (r) and 
P l finaV C ^( T ~ t ') ^ P'init-Ci'ij)- Therefore, since p mit = p' init , it follows that Pfi na l-C t (T - 
t) C pi n it.Ci(T) and Pfi na i.Ci'(T - t) C p m!i .CV(r), as needed. 

5. the internal actions colliding-pair(i", i'"), for i",i"' G I,i" j^ V" , and the inter- 
nal actions collision-eff ects(i""), for i"" G I, are not enabled because a is only 
comprised of states in Ruy\ and p'g na j G Tu^-\(t — t'). 

In the case of a trajectory, Lemma AAA, part 2, implies that Pfinal-Ci(T-t) C p'g na i-Ci(T — t') 
and Pfinal-Ci'(T — t) C p'fi na i-Ci'(T — t'). However, from the induction hypothesis it is the 
case that p final .C t (T - t') C p' mit .C l {T) and pJj na ,.C,-/(r - t') C p' Mi .C 8 ,(r). Therefore, since 
Pinit = p'init, it follows that Pfi„ai-Ci(T - t) C p m!i .C 8 (r) and p/^ a /.C 8 /(r - t) C p m!i .C 8 /(r). 
Moreover, since p'g na j G G/^'A and the collided(i , i') and colUded(i',i) variables remain 
constant throughout the trajectory, it follows that Pfi na i G Gu^n, as needed. I 
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Lemma 8.4.15 For t £ M- and t £ [0,r], it is the case that future r i ^^(Tu^Mt)^) C 
T{i,i'}(r - t). 

Proof: Follows directly from Lemmas 8.4.13 and 8.4.14. I 

Corollary 8.4.16 For any t £ M- , it is the case that futures —r\(Tsi^x(i),Q) C Tr,- -;i(i). 
Proof: Follows directly from Lemma 8.4.15. I 

Lemma 8.4.17 For any t £ M- , it is the case that Tu^x(i) C delay-safes— n(t). 
Proof: From the definition of delay-safe in Section 3.2.1, we must show that: 

1. future {iii , } (T {iti , } (t),[0,t]) C G {i ^, and 

2. future {hl , } (T {ht , } (t),t) C safety. 

The first condition follows directly from Lemma 8.4.15 and Lemma 8.4.1, part 1. More- 
over, Lemma 8.4.15 and Lemma 8.4.1, part 5, imply that future u iix(Tu^n(t),t) C Wu^x. 
Therefore, the second condition follows from Lemma 8.4.5. I 

Ln the following lemma, we show that the protector GRAPH-PROT-PAlR/^n implements the 
protector ^^(graph-vehicles, Su^n, Ru^x, G/,- -n, j, d). Since the protector automata 
graph-prot-PAIRj-jj/i and Absj involve the composition of the same sensor automaton 
with distinct controller automata, it suffices to show that the discrete controller automa- 
ton of the protector graph-prot-PAIR/,- -n implements the discrete controller automaton 
L>C(GRAPH-VEHICLES, %,'},%/},%/}, j, d). 

Lemma 8.4.18 graph-prot-pair.{- 8j8 /-} < ^^(graph-vehicles, Ss^^x, #{;/}, G{i } i>}, j, d). 

Proof: Both the GRAPH-PROT-PAlR/^n and the Absj protectors involve the composition 
of the same sensor automaton with distinct controller automata. From Theorem 2.7.4, 
it suffices to show that the discrete controller automaton of GRAPH-PROT-PAlR/^n im- 
plements DCj. This is shown by a simulation from the discrete controller automaton of 
GRAPH-PROT-PAIR{ 8 -y-| to DCj. 

The mapping between the states of the discrete controller automaton of the protector 
graph-prot-PAIRj-jj/i and DCj is almost the identity. Ln the discrete controller automaton 
of graph-prot-PAIRj-jj/i, the variable sendj is equal to either a member ofV({i, i'}), or the 
value null. Ln DCj, these valuations simply map to either the actions protect(C)j, where 
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C is the member of V({i, i'}) that corresponds to the the valuation of the variable sendj of 
the discrete controller automaton of GRAPH-PROT-PAlRr^-n, or the value null, respectively. 

The start states for the discrete controller automaton of GRAPH-PROT-PAlR/^n and DC j 
are the states in which sendj = null. These are related to each other according to the 
mapping discussed above. 

Furthermore, since the trajectories in both discrete controller automata are identical, we 
need only consider their discrete transitions. We analyze the actions of the implementation 
by cases, letting p denote any complete state of the GRAPH-VEHICLES automaton that 
corresponds to the output state y, i.e., p £ VALID and p[1qraph- vehicles = V- 

1. The snapshot(y)j action of the implementation sets sendj to an element oiV({i,i'}). 
In order to show that the behavior of the implementation is allowed by the specifica- 
tion, we must show that the input action snapshot(y)j of the implementation sets the 
value of the sendj variable in such a way that the subsequently enabled action it of the 
implementation (i) guarantees that for all p',p" £ Ru^x such that p' £ future u i>x(p, 0) 
and p' -^ p" , it is the case that p" £ delay-safes i^n{d) , if p £ safeu^n, and (ii) is an 
arbitrary output action of the implementation, otherwise. 

First, consider the case in which p £ safes an. Since Corollary 8.4.7 implies that p £ 
Wujix, the discrete controller automaton of GRAPH-PROT-PAIR r^n sets the variable 
sendj according to whether the state p is in Tr,- -;i(d), or not. 

On one hand, if p £" Tu^xid) then the discrete controller automaton of the pro- 
tector graph-prot-PAIRj-jj/i sets the variable sendj to either {i}, or {i'} accord- 
ing to the strategy described in Section 8.3. Therefore, the snapshot(y)j action 
enables either the protect ({i})j action, or the protect({i'})j action. Since p £ 
Wujix, Lemma 8.4.4 implies that p' £ Wu^n. Moreover, since the protect({i})j 
and protect({i'})j actions affect neither the velocity of any of the vehicles, nor any 
of the collided variables, it follows that p" £ Ru^n, p" £ Gu^n, p" .X{ = p'.ii, 
and p" .X{i = p'.&ii. Therefore, since p' £ Wu^n, Lemma 4.4.3, part 1, implies 
that p" £ disjoint- owned-tracks(i,i'). From the above conditions, it follows that 
p" £ Wui>\- Moreover, since the protect({i})j and protect({i'})j actions set 
the brake-req(i,j) and brake-req(i' , j) variables, respectively, to True, it follows that 
p" £ Vu^n. Finally, Lemma 8.4.12 implies that p" £ delay-safe r 88 n(<i), as needed. 

On the other hand, if p £ Tujix^d) then the discrete controller automaton of the pro- 
tector graph-prot-PAIRj-jj/i sets the variable sendj to and the protect(0)j action 
is enabled. Since p £ Tujix^d), Corollary 8.4.16 implies that p' £ Ts^'xi^)- Moreover, 
since the protect(0)j action affects neither the velocity of any of the vehicles, nor 
any of the collided variables, it follows that p" £ Ru^n, p" £ Guyx, p" .X{ = p'.&i, 
and p" ' .Xi> = p'.&ii. Therefore, since p' £ Tuyx{d), Lemma 4.4.3, part 2, implies 
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that p" G disjoint- claimed-tracks{i, i' ,d). From the above conditions, it follows that 
p" G Tu^n(d). Finally, Lemma 8.4.17 implies that p" G delay-safe^ jn(d), as needed. 

Next, consider the case in which p G - safer—/!. In this case, the snapshot(y)j action 
of the discrete controller automaton of GRAPH-PROT-PAlRr^n sets the variable sendj 
to either {i}, {i 1 }, or and, subsequently, enables either the protect({i})j action, 
the protect({i'})j action, or the protect(0)j action, respectively. However, when 
p G - safen 8 /j, the DC j automaton sets the variable sendj arbitrarily and, subsequently, 
enables an arbitrary output action. Therefore, the behavior of the discrete controller 
automaton of the protector GRAPH-PROT-PAlRrj-yi is allowed by that of the DC j 
automaton. 

Therefore, the effects of the snapshot(y)j action of the implementation are allowed 
by its specification. 

2. The protect(C)j actions, for C G V({i,i'}), have identical effects in both discrete 
controller automata. When the sendj variable matches either the set C, or the 
protect(C)j action, the action protect(C)j is executed and the sendj variable is 
set to null in both discrete controller automata. 

3. The environment action in both discrete controller automata is stuttering. It fol- 
lows that the mapping between the states of the discrete controller automaton of 
graph-prot-PAIRj-jj/i and the DC j automaton prior to and succeeding the execu- 
tion of the environment action remains the same. 



Corollary 8.4.19 The protector GRAPH-PROT-PAlRr^n guarantees that the automaton 
GRAPH-VEHICLES remains within Guy\ starting from Suy\ given Ru^x. 

Proof: Follows directly from Lemma 8.4.18 and Theorem 3.2.9. I 



8.5 Protection System GRAPH-PROT 

We now define the collision protector GRAPH-PROT. While considering the automaton 
GRAPH-PROT, we restrict the states of the GRAPH-VEHICLES automaton to P no t-overspeed as 
denned m oection 4.2, i.e., -tIgraph-prot = ^not-overspeed- Let (j"graph-prot and o graph _p RO t 
be the intersection of Gu^x and Su^n, for all {i,i'}, where i,i' G I,i j^ i', respec- 
tively, and GRAPH-PROT be the composition of GRAPH-PROT-PAlR^-y}, for all {i,i'}, where 
i,i' G I,i 7^ i'. The protector GRAPH-PROT guarantees that GRAPH-VEHICLES remains 
within Ggraph-prot starting from ^graph-prot gi ven -Rgraph-prot- For reference, the for- 
mal definitions of the GRAPH-PROT automaton and the sets Ggraph-prot, ^graph-prot, an d 
-Rgraph-prot are shown in Table 8.4. 
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Table 8.4 Formal definitions of GRAPH-PROT, Ggraph-prot, ^graph-prot, and R 



GRAPH-PROT- 



GRAPH-PROT = TT GRAPH-PROT-PAIR^y-} 



(^GRAPH-PROT — d{i,i'~) 



'JGRAPH-PROT — "{«,«'} 



-f^GRAPH-PROT — ^not-oversveed 



Lemma 8.5.1 The protector GRAPH-PROT guarantees that the GRAPH-VEHICLES automa- 
ton remains within Gqraph-prot starting from ^graph-prot given _R G raph-prot- 

In the following proof, we show that all the states of an execution of PP X GRAPH-PROT 
starting from S^raph-prot S iven -Rgraph-prot are in Gqraph-prot- This is done by applying 
Theorem 3.1.8 and showing that the second condition of the theorem does not hold. 

Proof: Let a be any execution of the system PP X GRAPH-PROT starting from a state in 
^graph-prot and in which all states are in _R G raph-prot- 

From Theorem 3.1.8, one of the following holds: 

1. Every state in a is in Gqraph-prot = fl ;,;' e l,i+i> G {t,t'}- 

2. a can be written as a\ "" a>2, where 

(a) All state occurrences in a\ except possibly the last state occurrence are in the 

Set Gqraph-PROT = I I i^i g I,i^i' ^{i,i'}- 

(b) If the last state occurrence in a\ is in Gu^x, for some i,i' £ I,i ^ i', then there 
exists i",i'" G I,i" ^ i'",{i",i'"} ^ {i,i'}, such that the last state occurrence in 
ct\ is in Gun inn. 

(c) All state occurrences in a^ except possibly the first state occurrence are in the 
se t fl U" i»>\ g N P as KG{i",i'"}i a )i f° r some N C {{&,&'} \ i,i' £ I,i ^ i'}, where 
\N\ > 2. 

We proceed by showing that it is not possible to decompose a as a\ "" a.^ while satisfying 
the three aforementioned conditions. 
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The violation of P| i 8 -, £ j i , 8 -, Guy\ can only occur through the violation of at least one of 
the conditions Gu^x, where i,i' E. I,i ^ i'. Moreover, each of these conditions are violated 
only through the execution of a colliding-pair action. Without loss of generality, suppose 
that the first condition that is violated in a is the condition Gu^x, for some i,i' £ I,i ^ i', 
and that such a violation has resulted through a colliding-pair(i, i') action. Let p and 
p' be the states of the system prior to and succeeding this colliding-pair(i, i') action, 
i.e., p,p' £ -Rgraph-prot such that p-^-p', where it = colliding-pair(i, i'). Since the 
colliding-pair(i, i') action only sets the collided(i , i') variable to True, it follows that the 
state p' is in the set G^^xf) (Oi"^" el,i"^i'",{i",i'"}^{i,i'} ^{i",i"'})- Now, we attempt to 
decompose a as a\ "" a 2 : 

1. Suppose we split a at any state preceding the state p. Then the state p is in 
a 2 . Since p' is the first state in which one of the conditions Gun inn, for i",i'" £ 
/, i" zfz i'" 5 is violated, it is the case that p £ P| 8 „ 8 „, £ j 8 „ / 8 „, Gsin^nx and there 
does not exist N C {{i",i'"} \ i",i'" £ I,i" ^ i'"} such that |JV| > 2 and p £ 
D U" i'"\ e N P as t(G{i" : i'"}i a )- Therefore, the third condition is violated and this de- 
composition of a is not valid. 

2. Suppose we split a at the state p. Then the state p' is in a 2 . Since p' is the first 
state in which one of the conditions Gunman, for i",i'" £ I,i" ^ i"', is violated and 

since the state p' is in Gs^^x f] (fl ;»,;»' e l,i"fr'",{i",i'"}^{i,i'} C-j>'",i'"}) i ^ follows that 
there does not exist N C {{i",i'"} \ i",i'" £ I,i" ^ i'"} such that |JV| > 2 and 
p' £ H /,-« j///i e jy P as ^(C{8",8'"'}? a )- Therefore, the third condition is violated and this 
decomposition of a is not valid. 

3. Suppose we split a at the state p'. Then p' is the last state of a\ and the first state 

of a 2 . However, p' £ G{ i}i >\ f| (C\i",i"> e l,i"iti'",{i",i'"}it{i,i'} ^{i",i'"})- Therefore, the 
second condition is violated and this decomposition of a is not valid. 

4. Suppose we split a at any state succeeding p'. Then the state p' is in a\. Since 

p' £ G{iy\ f| f fl i»,i'» e l,i"fr'",{i",i'"}^{i,i'} G{i",i'"})i ^ follows that the state p' is not 
in the set P| 8 „ 8 „, £ j 8 „ , 8 „, G{ 8 '" j8 '»'}. Therefore, the first condition is violated and this 
decomposition of a is not valid. 

Therefore, the execution a cannot be decomposed into any such a\ and a 2 . It follows that 
the first clause of Theorem 3.1.8 must hold; that is, every state in a is in Ggraph-prot- This 
implies that the protector GRAPH-PROT guarantees G G raph-prot in the GRAPH-VEHICLES 
automaton starting from ^graph-prot gi ven -Rgraph-prot- ■ 
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Chapter 9 

Composing the Overspeed and 
Collision Avoidance Protection 
Systems 



In the previous chapters, we presented example protectors whose correct operation required 
that the physical plant automaton at hand satisfied particular properties. For instance, 
in the case of the VEHICLES automaton of Chapter 4, the overspeed protector OS-PROT of 
Chapter 5 assumes that none of the vehicles collide among themselves and the collision 
protector CL-PROT of Chapter 6 assumes that none of the vehicles exceed the speed limit. 
Similarly, the MERGE-PROT protector of Chapter 7 and the GRAPH-PROT protector of Chap- 
ter 8 guarantee that none of the vehicles collide among themselves in the MERGE-VEHICLES 
and GRAPH-VEHICLES automata, respectively, provided that all the vehicles are abiding by 
the speed limit. In this chapter, we compose the overspeed and collision protectors for the 
VEHICLES automaton and show that the resulting protector guarantees that the vehicles in 
the VEHICLES automaton neither exceed the speed limit, nor collide among themselves. We 
extend these results to the MERGE-VEHICLES and GRAPH-VEHICLES automata after assum- 
ing that the overspeed protector OS-PROT of Chapter 5 extends, virtually unchanged, to 
the MERGE-VEHICLES and GRAPH-VEHICLES automata. 

9.1 Overspeed and Collision Avoidance for the VEHICLES 
Automaton 

In the following lemma, we show that the composition of the protectors OS-PROT and CL- 
PROT guarantees that the vehicles in the VEHICLES automaton neither exceed the speed 
limit, nor collide among themselves. 
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Lemma 9.1.1 The composition of OS-PROT and CL-PROT is a protector that guarantees 
Cos-prot H Gr CL _p RO T in the VEHICLES automaton starting from ^os-prot H 5cl-prot- 

In the following proof, we show that all the states of an execution of PPx OS-PROT X CL-PROT 
starting from ^os-prot l~l ^cl-prot are in Gos-prot n Gcl-prot- This is done by applying 
Theorem 3.1.7 and showing that the second condition of the theorem does not hold. 

Proof: Let a be any execution of the system PP X OS-PROT X CL-PROT starting from a 

state m oos-prot H ^cl-prot- 

From Theorem 3.1.7, one of the following holds: 

1. Every state in a is in Gos-prot l~l Gcl-prot- 

2. a can be written as a\ "" a.^, where 

(a) All state occurrences in a.\ except possibly the last are in Gos-prot H Gcl-prot- 

(b) The last state occurrence in a.\ is in Gi, for some i £ {os-PROT, cl-prot}, if 
and only it is in 67 8 /, for i' £ {os-prot, cl-prot}, i' ^ i. 

(c) All state occurrences in a.^ except possibly the first state occurrence of a.^ are in 

pas^Gos-PROT, a) n pasf(G C L-pROT, ")• 

We proceed by showing that it is not possible to decompose a into a\ and a.^ as proposed 
by the second clause of Theorem 3.1.7. Then it trivially follows that the first clause of 
Theorem 3.1.7 holds; that is, for any such a, all states are in Gos-prot H c7 cl _p R ot- 

The violation of Gos-prot H c7 cl _p R ot can occur through the violation of either Gos-prot, or 
Gcl-prot- On one hand, provided that no collisions have occurred, the violation of Gos-prot 
can only occur within a trajectory of the VEHICLES automaton. On the other hand, the 
violation of G cl _ PRO t can only occur through the execution of a colliding-pair(i, i') action, 
for some i,i' £ I,i' ^ i. We analyze each of these cases separately. 

1. In the first case, the key point is that the violation of the speed limit by any of the 
vehicles in the VEHICLES automaton can only occur within a trajectory and that a 
collision can not be recorded within a trajectory. Therefore, the fact that the speed 
limit is violated prior to the occurrence of any vehicle collisions would imply that the 
OS-PROT protector is not working correctly; that is, Corollary 5.3.1 is false. 



Let w be the first trajectory in a containing a state occurrence in Gos-prot H G cl _ PRO t- 
Suppose that w is a Tj-trajectory and let Tj be the subset of T 1 consisting of all t such 
that (i,t,w(t)) £ pas£(Gr s-pROT H G CL _ PRO T7 ot). Then Tj is a non-empty subinterval of 
Tj that is "upward-closed", i.e., if t £ T'j, t' £ Tj, and t < t' , then t' £ Tj. Since Tj is 
an interval of reals, it has a left endpoint t which might or might not itself be in Tj. It 
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is important to note that since the collided(i , i') variables, for i,i' £ I,i ^ i', remain 
constant throughout any trajectory of the VEHICLES automaton, it is only possible to 
violate the Gos-prot condition within the trajectory w; that is, all the states in w are 
in the set Gcl-prot- Therefore, letting s = w(t), all state occurrences in a that precede 
the state occurrence (i,t,s) are in the set Gos-prot H Gr CL _p RO T- Now, we attempt to 
decompose a into at\ and a^. 

(a) Suppose we split a at any state preceding the state (i,t,s). Then the state 
(i,t,s) is in a^. Since (i,t,s) is in Gcl-prot an d all states that precede the state 
(i, t, s) are in 67 s-prot l~l Gcl-prot 5 it is the case that (i, t, s) £" past(G os . PROT , a) n 
past(G cl-proti ot). Since the state (i,t,s) is not the first state in a^, the third 
condition is violated. Therefore, this decomposition of a is not valid. 

(b) Suppose we split a at the state (i,t,s) and suppose that the state (i,t,s) is not 
the last state of w. Then any state of the trajectory w that succeeds the state 
(i,t,s) is in a^. Moreover, since all of the states in w are in Gcl-prot, none of 



the states in w that succeed (i,t,s) are in past(G os . PROT , a) n past(G C l-prot, a )- 

Therefore, the third condition is violated and this decomposition of a is not valid. 

(c) Suppose we split a at the state (i,t,s) and suppose that the state (i,t,s) is the 

last state of w. Then since w is the first trajectory in a containing an occurrence 



of a state in 67os-prot H Gcl-prot? it follows that (i,t,s) £ G s-prot H Gcl-prot- 
Moreover, since all the states in w are in Gcl-prot, it is the case that (i,t,s) £ 
Cos-prot H Gr CL _p RO T- Therefore, the second condition is violated and this decom- 
position of a is not valid, 
(d) Suppose we split a at a state s" that succeeds the state (i,t,s). Let (i,t',s') be 
a state of the trajectory w that succeeds the state (i,t,s) and precedes the state 
s". The state (i,t',s') is in a\. By definition of T[, it is the case that (i,t',s') is 
in past(G s-PROT H Gr CL _p R oT7 ot). Therefore, the first condition is violated and this 
decomposition of a is not valid. 

2. In the second case, the key point is that a collision can only be recorded by an action 
and that such an action can not cause the velocity of a vehicle to exceed the speed 
limit. Therefore, the fact that a collision among the vehicles occurs prior to the 
violation of the speed limit would imply that the CL-PROT protector is not working 
correctly, i.e., Lemma 6.3.1 is false. 

Without loss of generality, suppose that the Gcl-prot condition is violated through a 
colliding-pair(i, i') action, for some i, i' £ I,i' ^ i. Let p and p' be the states of the 
system prior to and succeeding this colliding-pair(i, i') action, i.e., p,p' £ VALID 
such that p-^- p', where it = colliding-pair(i, i'). Since the colliding-pair(i, i') 
action only sets the collided(i, i') variable to True, it follows that the state p' is in the 
set Gos-prot fl Ccl-prot- Now, we attempt to decompose a into at\ and a^. 
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(a) Suppose we split a at any state preceding the state p. Then the state p is 
in a.2- Since p' is the first state in Gos-prot H c7 cl _p R ot7 it is the case that all 
the states of a preceding p' are in the set Gos-prot H c7 cl _p RO t; that is, p £" 
past(G os-prot n Gcl-prot, ot) and p £" past(G OS -prot, a) n past(G CL -prot, ")• Since 
p is not the first state in a.^, the third condition is violated. Therefore, this 
decomposition of a is not valid. 

(b) Suppose we split a at the state p. Then the state p' is in a.^- Since p' is the first 



state in Gos-prot H c7 cl _p R ot7 it is the case that all the states of a preceding p' 
are in the set Gos-prot l~l Gcl-prot! that is, p £" past(G OS -prot l~l Gcl-prot, «) and, 
moreover, p £" past(G s-prot, ot) H past(G cl-prot, ot). Since p' follows from p in a 
single step and p' £ Gos-protH Gcl-prot, it is the case that p' £" past(G os-prot, ot) P\ 
past(G cl-prot i ot). Therefore, the third condition is violated and this decomposi- 
tion of a is not valid. 
Suppose we split a at the state p' . Then p' is the last state of a.\ and the first 



state of a.2- Since p' £ G s-prot f] Ccl-prot, the second condition is violated. 
Therefore, this decomposition of a is not valid, 
(d) Suppose we split a at any state succeeding p'. Then the state p' is in a\. Since 



p' £ Cos-prot fl Ccl-prot, the first condition is violated. Therefore, this decom- 
position of a is not valid. 

Therefore, the execution a cannot be decomposed into any such at\ and a.^- It follows that 
the first clause of Theorem 3.1.7 must hold; that is, every state in a is in Gos-PROTnGcL-PROT- 
This implies that the protector OS-PROT X CL-PROT guarantees 67 s-prot H Gr CL _p RO T in the 
VEHICLES automaton starting from ^os-prot H ^cl-prot- I 



9.2 Overspeed and Collision Avoidance for the 

MERGE-VEHICLES Automaton 

In the following lemma, we state that the composition of the protectors OS-PROT and 
MERGE-PROT guarantees that the vehicles of the MERGE-VEHICLES automaton neither ex- 
ceed the speed limit, nor collide among themselves. It is important to note that it is assumed 
without proof that the protector OS-PROT and the Corollary 5.3.1 extend to the MERGE- 
VEHICLES automaton. In fact, since the strategy of the OS-PROT protector defined for the 
VEHICLES automaton in Chapter 5 does not depend on the nature of the track topology, 
the OS-PROT protector of Chapter 5 extends to the MERGE-VEHICLES automaton virtually 
unchanged. 
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Lemma 9.2.1 The composition of OS-PROT and MERGE-PROT is a protector that guar- 
antees Gos-prot H G MERG E-PROT in the M ERGE- VEHICLES automaton starting from ^os-prot H 



' MERGE-PROT- 



Proof: This proof follows precisely the steps of the proof of Lemma 9.1.1. I 

9.3 Overspeed and Collision Avoidance for the 

GRAPH-VEHICLES Automaton 

In the following lemma, we state that the composition of the protectors OS-PROT and 
GRAPH-PROT guarantees that the vehicles of the GRAPH-VEHICLES automaton neither ex- 
ceed the speed limit, nor collide among themselves. It is important to note that it is assumed 
without proof that the protector OS-PROT and the Corollary 5.3.1 extend to the GRAPH- 
VEHICLES automaton. In fact, since the strategy of the OS-PROT protector defined for the 
VEHICLES automaton in Chapter 5 does not depend on the nature of the track topology, 
the OS-PROT protector of Chapter 5 extends to the GRAPH-VEHICLES automaton virtually 
unchanged. 

Lemma 9.3.1 The composition of OS-PROT and GRAPH-PROT is a protector that guar- 
antees Gos-prot H Gqraph-prot in the GRAPH- VEHICLES automaton starting from ^os-prot H 

Sa 



> GRAPH-PROT- 



Proof: This proof follows precisely the steps of the proof of Lemma 9.1.1. 
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Chapter 10 



Conclusions and Future Work 



This thesis investigates how the formal modeling and verification techniques of computer 
science can be used for the analysis of hybrid systems. The motivation behind such research 
lies in the inherent similarity of the hierarchical and decentralized control strategies of 
hybrid systems and the formal techniques used for the verification of distributed systems in 
computer science. The thesis focuses on the development of techniques that use hybrid I/O 
automata to model automated transportation systems and to verify that their protection 
subsystems enforce the desired safety properties. The long-term goal of such research is 
to develop a simple and scalable framework for modeling complex hybrid systems with 
stringent safety and performance requirements. 

10.1 Summary 

The thesis is split into two major parts. First, we develop an abstract model of a physical 
plant that is interacting with several protectors. Second, we specialize the abstract models 
of the physical system and the protectors to simplified versions of the PRT 2000™ and its 
overspeed and collision protection subsystems. 

As indicated above, the first part of the thesis is devoted to the development of an abstract 
model of a physical plant and a number of protectors that guarantee particular safety or 
performance properties. Both the physical plant and the protectors are modeled as hybrid 
I/O automata. The protector automata communicate with the physical plant automaton 
through shared variables and discrete actions. If S , R, and G are subsets of the states of 
the physical plant, then a protector automaton A for the physical plant PP guarantees G 
from S given R provided that every finite execution of the composition PP X A starting in 
a state in S that only involves states in R ends in a state in G. It is shown that if two or 
more protectors do not rely on the correct operation of each other, i.e., if the protectors 
are independent, then their composition guarantees the properties guaranteed by each of 
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the protectors being composed. On the other hand, if the protectors rely on the correct 
operation of each other, their composition guarantees the properties guaranteed by each of 
the protectors being composed only under certain conditions. 

The abstract protector is parameterized in terms of the physical plant PP, the start states 
S, the sets of guarantee G and reliance R, the port j through which it communicates with 
the physical plant automaton, and the sampling period d. It is defined as the composition 
of a sensor and a discrete controller, both modeled as hybrid I/O automata. The sensor 
automaton samples the output variables of the physical plant at intervals of d time units and 
the discrete controller automaton issues protective actions so as to ensure that the physical 
plant exhibits the desired safety properties. The correctness of the abstract protector re- 
duces the correctness proof of a protector implementation to a simulation proof among the 
states of the implementation and the particular instantiation of the abstract protector. 

The second part of the thesis involves the proof of correctness of overspeed and collision 
protectors for a simple model of an automated transportation system involving n vehicles. 
The overspeed and collision protectors are redefined for three types of track topology: a 
single track, a track involving a Y-shaped merge, and a general track topology comprised 
of Y-shaped merges and diverges. 

In the case of a single track, the overspeed protector is defined as the composition of n 
protectors, each of which guarantees that a particular vehicle does not exceed the speed 
limit, provided that none of the vehicles collide among themselves. Conversely, the collision 
protector is defined as the composition of n protectors, each of which guarantees that a 
particular vehicle does not collide into any of the vehicles it trails, provided that none of 
the vehicles exceed the speed limit and that none of the other vehicles collide into any of 
the vehicles they respectively trail. 

In the cases of the more complicated track topologies, although the overspeed protector 
remains unchanged, the collision protectors are restructured. They involve the composition 
of n(n — l)/2 protectors, each of which guarantees that a particular unordered pair of 
vehicles do not collide between themselves, provided that none of the vehicles exceed the 
speed limit and that the vehicles of all other unordered pairs of vehicles do not collide 
between themselves. 

Due to the correctness proof of the parameterized abstract protector, the proofs of correct- 
ness of the overspeed protectors for the individual vehicles and of the collision protectors for 
either individual, or unordered pairs of vehicles, are straightforward. They simply involve 
demonstrating the existence of a simulation relation among the states of the particular 
protector implementations and the particular instantiations of the parameterized abstract 
protector. 

The composition of the overspeed protectors is straightforward due to their independence. 
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The proof of correctness of the overspeed protection subsystem involves the application of 
the aforementioned composition theorems for independent protectors. In the case of the 
collision protectors, since the individual collision protectors rely on the correct operation of 
each other, the proof of correctness of their composition is more involved. It relies on the 
careful decomposition of the collision protection subsystem so that the failure of multiple 
collision protectors at the same instant in time is prohibited. Similarly, the correct operation 
of the composition of the overspeed and collision protection subsystems relies on the fact 
that the overspeed protectors and the collision protectors can only fail through trajectories 
and discrete actions, respectively. 

10.2 Evaluation 

The contributions of this thesis are twofold. First, we develop an abstract model of an 
automated transportation system comprised of a physical plant and an arbitrary number of 
protectors. Second, we specialize the abstract model so as to analyze and verify a particular 
automated transportation system and its overspeed and collision protection systems. 

The abstract models that are developed include the physical plant and a number of pro- 
tectors. The abstract protector is parameterized in terms of the physical system, its start 
states, its sets of guarantee and reliance, the port with which it communicates with the 
physical plant and the sampling period. Therefore, the specification of a particular au- 
tomated transportation system involves refinement of the abstract model. Moreover, the 
proof of correctness of the abstract model leads to simple correctness proofs of the protector 
implementations for particular instantiations of the abstract model. Finally, composition 
of independent protectors is straightforward. The safety properties of the individual pro- 
tectors are guaranteed by the composed protector. Such compositional assertions also hold 
for dependent protectors under certain conditions. The use of abstraction, modular decom- 
position, and composition is hoped to allow the scalability of the formal method analysis 
and the verification of large and complex hybrid systems. 

In this work, we demonstrate how hybrid I/O automaton techniques can be applied to 
the specification and verification of a very general automated transportation problem. We 
believe that the techniques developed in this thesis complement more traditional safety 
analysis. For example, safety engineers typically perform a fault-tree analysis to identify 
possible causes of each system hazard and related dependencies among system components. 
In our work, we use composition of automata to formalize these dependencies: to yield a 
speed limited system, we compose the physical plant with a set of overspeed protectors, 
one for each vehicle, and assume that no collisions occur in the physical system; conversely, 
to yield a collision free physical system, we compose the physical system with a set of 
collision protectors, either one for each vehicle, or one for each unordered pair of vehicles, 
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and assume that none of the vehicles exceed the speed limit. The composition of the 
physical system in such ways formalizes the independence of the overspeed protectors, the 
interdependence of the collision protectors and more importantly the interdependence of 
the overspeed protectors and the collision protectors. We believe a more comprehensive 
treatment in this style of all the protection subsystems would, as a by-product, yield a 
significant subtree of the fault-tree. 

10.3 Future Work 

In this thesis, the treatment of automated transportation systems is a case study in the use 
of hybrid I/O automata to formally model hybrid systems. The focus of the research is in the 
use of abstraction, modularity, and composition to develop an abstract model of automated 
transportation systems to be used in the analysis and verification of transportation systems 
in use or under development. The long-term goal is to see how the formal methods of 
computer science can be used to formally model hybrid systems in a modular and systematic 
way and to verify their safety or performance characteristics. However, issues that have yet 
to be addressed involve the topics of robustness, scalability, tractability, and the use of 
formal methods as part of the system design process. 

The work in this thesis assumes an ideal system; that is, the communication among the 
various subsystems is assumed to be correct and reliable, and to occur in a timely fash- 
ion. Moreover, the sampling of the state of the physical plant is assumed to be exact and 
the effects of the protective actions are assumed to be precise. Since, these assumptions 
are far from realistic, future research could involve the development of formal methods for 
analyzing and verifying automated transportation systems that are robust with respect to 
communication delays and uncertainty. For example, the treatment of automated trans- 
portation systems of this thesis could be extended to allow delays in the communication 
between the plant and the protectors and uncertainty either in the sampling of the state, or 
in the effects of the protective actions. The treatment of automated transportation systems 
could also be extended to allow fault tolerance; for example, allowing the track topology 
to be dynamic so that vehicles are not allowed to travel on branches of the track that have 
failed either structurally, or due to unexpected accidents. 

In this thesis, we develop formal modeling techniques that are based on abstraction, mod- 
ularity, and subsystem composition. The motivation behind this approach is the intent 
to model and verify complex hybrid systems that involve hierarchical and decentralized 
control schemes. Therefore, it is imperative to examine the scalability and tractability 
characteristics of the formal modeling techniques developed. The success in modeling the 
overspeed and collision protectors of an automated transportation system in this thesis in- 
dicates that the modeling techniques that are based on hybrid I/O automata are scalable to 
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larger and more complex systems. However, the study and formal analysis of more complex 
systems remains to be done. In particular, it would be interesting to examine how complex 
continuous-time dynamics affect the formal modeling tools developed in this thesis. More- 
over, the lengthy correctness proofs, which were done by hand in this thesis, expose issues 
of tractability concerning the analysis and verification of complex transportation systems. 
In fact, they dictate that computer aided verification methods for hybrid I/O automata be 
developed. 

The formal modeling techniques developed in this thesis are techniques intended for the 
analysis and verification of automated transportation systems. Future research could inves- 
tigate the potential of using formal methods of computer science as an integral part of the 
design of the hierarchical and decentralized control schemes of automated transportation 
systems and of hybrid systems in general. 



161 



162 



References 



[1] Jean- Raymond Abrial, Egon Borger, and Hans Langmaack. Formal Methods for Indus- 
trial Applications: Specifying and Programming the Steam Boiler Control. In G. Goos, 
J. Hartmanis, and J. van Leeuwen, editors, Methods for Semantics and Specification, 
International Conference and Research Center for Computer Science, volume 1165 of 
Lecture Notes in Computer Science. Springer- Verlag, October 1996. The Methods for 
Semantics and Specification, International Conference and Research Center for Com- 
puter Science took place in Schloss, Dagstuhl, Germany, in June 1995. 

[2] Rajeev Alur, Costas Courcoubetis, Nicolas Halbwachs, Thomas A. Henzinger, Pei- 
Hsin Ho, Xavier Nicollin, Alfredo Olivero, Joseph Sifakis, and Sergio Yovine. The 
Algorithmic Analysis of Hybrid Systems. Theoretical Computer Science, 138(l):3-34, 
February 1995. Preliminary version appeared as Ref. 3. 

[3] Rajeev Alur, Costas Courcoubetis, Nicolas Halbwachs, Thomas A. Henzinger, Pei- 
Hsin Ho, Xavier Nicollin, Alfredo Olivero, Joseph Sifakis, and Sergio Yovine. The 
Algorithmic Analysis of Hybrid Systems. In Proc. 11th International Conference on 
Analysis and Optimization of Systems, Discrete-Event Systems, volume 199 of Lecture 
Notes in Control and Information Sciences, pages 331-351. Springer- Verlag, 1994. 

[4] Rajeev Alur, Costas Courcoubetis, Thomas A. Henzinger, and Pei-Hsin Ho. Hybrid 
Automata: An Algorithmic Approach to the Specification and Verification of Hybrid 
Systems. In Hybrid Systems, volume 736 of Lecture Notes in Computer Science, pages 
209-229. Springer- Verlag, 1993. Extended version appeared as Ref. 2. 

[5] Rajeev Alur and David L. Dill. Automata for Modeling Real-Time Systems. In 
Proc. 17th International Colloquium on Automata, Languages and Programming 
(ICALP'90), volume 443 of Lecture Notes in Computer Science, pages 322-335. 
Springer- Verlag, 1990. 

[6] Rajeev Alur and David L. Dill. A Theory of Timed Automata. Theoretical Computer 
Science, 126:183-235, 1994. Preliminary version appeared as Ref. 5. 

[7] Michael S. Branicky. Studies in Hybrid Systems: Modeling, Analysis, and Control. 
Doctor of Science Thesis, Dept. of Electrical Engineering and Computer Science, Mas- 
sachusetts Institute of Technology, Cambridge, Massachusetts, June 1995. 

[8] Ekaterina Dolginova and Nancy A. Lynch. Safety Verification for Automated Platoon 
Maneuvers: A Case Study. In Oded Maler, editor, Proc. International Workshop on 
Hybrid and Real-Time Systems (HART'97), volume 1201 of Lecture Notes in Computer 



163 



Science, pages 154-170. Springer- Verlag, 1997. The International Workshop on Hybrid 
and Real-Time Systems took place in Grenoble, France, in March 1997. 

[9] Jean-Marie Flaus and Ollagnon. Guy. Hybrid Flow Nets of Hybrid Processes Modeling 
and Control. In Oded Maler, editor, Proc. International Workshop on Hybrid and 
Real-Time Systems (HART'97), volume 1201 of Lecture Notes in Computer Science, 
pages 213-227. Springer- Verlag, 1997. The International Workshop on Hybrid and 
Real-Time Systems took place in Grenoble, France, in March 1997. 

[10] Rainer Gawlick, Roberto Segala, J0rgen S0gaard- Andersen, and Nancy A. Lynch. Live- 
ness in Timed and Untimed Systems. Technical Report MIT/LCS/TR-587, Labora- 
tory for Computer Science, Massachusetts Institute of Technology, Cambridge, Mas- 
sachusetts, December 1993. 

[11] Rainer Gawlick, Roberto Segala, J0rgen S0gaard- Andersen, and Nancy A. Lynch. 
Liveness in Timed and Untimed Systems. In Serge Abiteboul and Eli Shamir, ed- 
itors, Proc. 21st International Colloquium on Automata, Languages and Program- 
ming (ICALP'94), volume 820 of Lecture Notes in Computer Science, pages 166-177. 
Springer- Verlag, 1994. The 21st International Colloquium on Automata, Languages 
and Programming (ICALP'94) took place in Jerusalem, Israel, in July 1994. Full ver- 
sion appeared as Ref. 10. 

[12] Datta N. Godbole and John Lygeros. Longitudinal Control of a Lead Car of a Pla- 
toon. IEEE Transactions on Vehicular Technology, 43(4):1125-1135, November 1994. 
Also appeared in Proc. 13th American Control Conference, pages 398-402, Baltimore, 
Maryland, June/July 1994. 

[13] Datta N. Godbole, John Lygeros, and Shankar Sastry. Hierarchical Hybrid Control: 
a Case Study. In P. Antsaklis, W. Kohn, A. Nerode, and S. Sastry, editors, Hybrid 
Systems II, volume 999 of Lecture Notes in Computer Science, pages 166-190. Springer- 
Verlag, 1995. Also appeared in Proc. 33rd IEEE Conference on Decision and Control, 
pages 1592-1597, Orlando, Florida, December 1994. 

[14] Robert L. Grossman, Anil Nerode, Anders P. Ravn, and Hans Rischel, editors. Hybrid 
Systems, volume 736 of Lecture Notes in Computer Science. Springer- Verlag, 1993. This 
volume of LNCS was inspired by a workshop on the Theory of Hybrid Systems, held on 
Oct. 19-21, 1992 at the Technical University, Lyngby, Denmark, and by a prior Hybrid 
Systems Workshop, held on June 10-12, 1991 at the Mathematical Sciences Institute, 
Cornell University. 

[15] Constance Heitmeyer and Nancy Lynch. The Generalized Railroad Crossing: A Case 
Study in Formal Verification of Real-Time Systems. In Proc. 15th IEEE Real-Time 
Systems Symposium, pages 120-131, San Juan, Puerto Rico, December 1994. IEEE 
Computer Society Press. 

[16] Thomas A. Henzinger, Zohar Manna, and Amir Pnueli. Temporal Proof Methodologies 
for Real-Time Systems. In Proc. 18th Annual Symposium on Principles of Programming 
Languages, pages 353-366. ACM Press, 1991. 

[17] Thomas A. Henzinger, Zohar Manna, and Amir Pnueli. Timed Transition Systems. 
In J.W. de Bakker, K. Huizing, W.P. de Roever, and G. Rozenberg, editors, Proc. 

164 



REX Workshop "Real-Time: Theory in Practice", volume 600 of Lecture Notes in 
Computer Science, pages 226-251. Springer- Verlag, 1992. The REX Workshop "Real- 
Time: Theory in Practice" took place in Mook, The Netherlands, in June 1991. 

[18] Thomas A. Henzinger, Zohar Manna, and Amir Pnueli. Temporal Proof Methodolo- 
gies for Timed Transition Systems. Information and Computation, 112(2):273-337, 
August 1994. Preliminary versions of Part I and Part II appeared as Refs. 17 and 16, 
respectively. 

[19] Leslie Lamport. The Temporal Logic of Actions. Research Report 79, Digital Equip- 
ment Corporation Systems Research Center, Palo Alto, California, December 1991. 

[20] Leslie Lamport. The Temporal Logic of Actions. ACM Transactions on Programming 
Languages and Systems, 16(3):872-923, May 1994. Also appeared as Ref. 19. 

[21] Gunter Leeb and Nancy A. Lynch. Proving Safety Properties of the Steam Boiler 
Controller. In J.R. Abrial, E. Borger, and H. Langmaack, editors, Formal Methods for 
Industrial Applications: Specifying and Programming the Steam Boiler Control, volume 
1165 of Lecture Notes in Computer Science. Springer- Verlag, October 1996. Preliminary 
version presented as "Using Timed Automata for the Steam Boiler Controller Problem" 
at the Methods for Semantics and Specification, International Conference and Research 
Center for Computer Science in Schloss, Dagstuhl, Germany in June 1995. 

[22] John Lygeros. Hierarchical, Hybrid Control of Large Scale Systems. Doctor of Phi- 
losophy Thesis, Dept. of Electrical Engineering and Computer Sciences, University of 
California, Berkeley, May 1996. 

[23] John Lygeros and Datta N. Godbole. An Interface between Continuous and Discrete 
Event Controllers for Vehicle Automation. In Proc. 13th American Control Conference, 
pages 801-805, Baltimore, Maryland, June/July 1994. Also appeared as Ref. 24. 

[24] John Lygeros and Datta N. Godbole. An Interface between Continuous and Discrete 
Event Controllers for Vehicle Automation. Technical Report UCB-ITS-PRR-94-12, 
Institute of Transportation Studies, University of California, Berkeley, April 1994. 

[25] John Lygeros, Datta N. Godbole, and Shankar Sastry. A Verified Hybrid Controller 
for Automated Vehicles. In 35th IEEE Conference on Decision and Control (CDC'96), 
pages 2289-2294, Kobe, Japan, December 1996. 

[26] John Lygeros, Datta N. Godbole, and Shankar Sastry. A Verified Hybrid Controller for 
Automated Vehicles. Technical Report UCB-ITS-PRR-97-9, Institute of Transporta- 
tion Studies, University of California, Berkeley, 1997. To appear in the Special Issue on 
Hybrid Systems of the IEEE Transactions on Automatic Control. Preliminary version 
appeared as Ref. 25. 

[27] John Lygeros, Datta N. Godbole, and Sastry Shankar. A Game Theoretic Approach 
to Hybrid System Design. In R. Alur, T. Henzinger, and E. Sontag, editors, Proc. 
DIMACS/SYCON Workshop on Verification and Control of Hybrid Systems, Hybrid 
Systems III: Verification and Control, volume 1066 of Lecture Notes in Computer Sci- 
ence. Springer- Verlag, 1996. The DIMACS/SYCON Workshop on Verification and 
Control of Hybrid Systems took place in New Brunswick, New Jersey, in October 
1995. 

165 



[28] Nancy Lynch, Roberto Segala, Frits Vaandrager, and H. B. Weinberg. Hybrid I/O 
Automata. Technical Memo MIT/LCS/TM-544, Laboratory for Computer Science, 
Massachusetts Institute of Technology, Cambridge, Massachusetts, December 1995. 

[29] Nancy Lynch, Roberto Segala, Frits Vaandrager, and H. B. Weinberg. Hybrid I/O 
Automata. In R. Alur, T. Henzinger, and E. Sontag, editors, Proc. DIMACS/SYCON 
Workshop on Verification and Control of Hybrid Systems, Hybrid Systems III: Verifi- 
cation and Control, volume 1066 of lecture Notes in Computer Science, pages 496-510. 
Springer- Verlag, 1996. The DIMACS/SYCON Workshop on Verification and Control 
of Hybrid Systems took place in New Brunswick, New Jersey, in October 1995. 

[30] Nancy Lynch, Roberto Segala, Frits Vaandrager, and H. B. Weinberg. Hybrid I/O 
Automata. Preprint. Preliminary versions appeared as Refs. 28 and 29, June 1997. 

[31] Nancy Lynch and Frits Vaandrager. Forward and Backward Simulations — Part I: 
Untimed Systems. Technical Memo MIT/LCS/TM-486, Laboratory for Computer Sci- 
ence, Massachusetts Institute of Technology, Cambridge, Massachusetts, May 1993. 

[32] Nancy Lynch and Frits Vaandrager. Forward and Backward Simulations — Part I: 
Untimed Systems. Information and Computation, 121(2):214-233, September 1995. 
Preliminary version appeared as Ref. 31. 

[33] Nancy Lynch and Frits Vaandrager. Forward and Backward Simulations — Part II: 
Timing-Based Systems. Technical Memo MIT/LCS/TM-487.C, Laboratory for Com- 
puter Science, Massachusetts Institute of Technology, Cambridge, Massachusetts, April 
1995. 

[34] Nancy Lynch and Frits Vaandrager. Forward and Backward Simulations — Part II: 
Timing-Based Systems. Information and Computation, 128(l):l-25, July 1996. Pre- 
liminary version appeared as Ref. 33. 

[35] Oded Maler, Zohar Manna, and Amir Pnueli. From Timed to Hybrid Systems. In 
J.W. de Bakker, K. Huizing, W.P. de Roever, and G. Rozenberg, editors, Proc. REX 
Workshop "Real-Time: Theory in Practice", volume 600 of lecture Notes in Com- 
puter Science, pages 447-484. Springer- Verlag, 1992. The REX Workshop "Real-Time: 
Theory in Practice" took place in Mook, The Netherlands, in June 1991. 

[36] Zohar Manna and Amir Pnueli. Verifying Hybrid Systems. In Robert L. Grossman, 
Anil Nerode, Anders P. Ravn, and Hans Rischel, editors, Hybrid Systems, volume 736 
of lecture Notes in Computer Science, pages 4-35. Springer- Verlag, 1993. 

[37] Amir Pnueli and Joseph Sifakis, editors. Special Issue on Hybrid Systems, volume 138, 
part 1 of Theoretical Computer Science. Elsevier Science Publishers, February 1995. 

[38] Thomas Stauner, Olaf Miiller, and Max Fuchs. Using HyTech to Verify an Automotive 
Control System. In Oded Maler, editor, Proc. International Workshop on Hybrid and 
Real-Time Systems (HART'97), volume 1201 of lecture Notes in Computer Science, 
pages 139-153. Springer- Verlag, 1997. The International Workshop on Hybrid and 
Real-Time Systems took place in Grenoble, France, in March 1997. 

[39] Peter Terwiesch, Erich Scheiben, Anders Jenry Petersen, and Thomas Keller. A Digital 
Real-Time Simulator for Rail- Vehicle Control System Testing. In Oded Maler, editor, 

166 



Proc. International Workshop on Hybrid and Real-Time Systems (HART'97), volume 
1201 of Lecture Notes in Computer Science, pages 199-212. Springer- Verlag, 1997. The 
International Workshop on Hybrid and Real-Time Systems took place in Grenoble, 
France, in March 1997. 

[40] Adam L. Turk, Scott T. Probst, and Gary J. Powers. Verification of Real Time Chem- 
ical Processing Systems. In Oded Maler, editor, Proc. International Workshop on 
Hybrid and Real-Time Systems (HART'97), volume 1201 of Lecture Notes in Com- 
puter Science, pages 259-272. Springer- Verlag, 1997. The International Workshop on 
Hybrid and Real-Time Systems took place in Grenoble, France, in March 1997. 

[41] Pravin Varaiya. Smart Cars on Smart Roads: Problems of Control. IEEE Transactions 
on Automatic Control, 38(2):195-207, 1993. 

[42] H. B. Weinberg, Nancy Lynch, and Norman Delisle. Verification of Automated Vehicle 
Protection Systems. In R. Alur, T. Henzinger, and E. Sontag, editors, Hybrid Systems 
III: Verification and Control, volume 1066 of Lecture Notes in Computer Science, pages 
101-113. Springer- Verlag, 1996. 

[43] Henri B. Weinberg. Correctness of Vehicle Control Systems: A Case Study. Master of 
Science Thesis, Dept. of Electrical Engineering and Computer Science, Massachusetts 
Institute of Technology, Cambridge, Massachusetts, February 1996. 



167 



168 



